From 930f51811cd36a695c07f0b8414b118ce28dda04 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Mon, 4 Jan 2010 13:54:57 +0100 Subject: finally merge the rest of the patchset from Arnaud Ebalard with the CRL and Issuers options for https, thanks! (Closes: #485963) --- methods/https.cc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'methods') diff --git a/methods/https.cc b/methods/https.cc index 5d8e63f47..35c23db20 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -151,6 +151,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm) default_verify = 0; curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify); + // Also enforce issuer of server certificate using its cert + string issuercert = _config->Find("Acquire::https::IssuerCert",""); + knob = "Acquire::https::"+remotehost+"::IssuerCert"; + issuercert = _config->Find(knob.c_str(),issuercert.c_str()); + if(issuercert != "") + curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str()); + // For client authentication, certificate file ... string pem = _config->Find("Acquire::https::SslCert",""); knob = "Acquire::https::"+remotehost+"::SslCert"; @@ -177,6 +184,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm) final_version = CURL_SSLVERSION_SSLv3; curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version); + // CRL file + string crlfile = _config->Find("Acquire::https::CrlFile",""); + knob = "Acquire::https::"+remotehost+"::CrlFile"; + crlfile = _config->Find(knob.c_str(),crlfile.c_str()); + if(crlfile != "") + curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str()); + // cache-control if(_config->FindB("Acquire::https::No-Cache", _config->FindB("Acquire::http::No-Cache",false)) == false) -- cgit v1.2.3