[apt.git] / doc / examples / apt-https-method-example.conf

/* This file is a sample configuration for apt https method. Configuration
   parameters found in this example file are expected to be used in main
   apt.conf file, just like other configuration parameters for different
   methods (ftp, file, ...).

   This example file starts with a common setup that voluntarily exhibits
   all available configurations knobs with simple comments. Extended
   comments on the behavior of the option is provided at the end for
   better readability. As a matter of fact, a common configuration file
   will certainly contain far less elements and benefit of default values
   for many parameters.

   Because some configuration parameters for apt https method in following
   examples apply to specific (fictional) repositories, the associated
   sources.list file is provided here:

   ...

   deb     https://secure.dom1.tld/debian unstable main contrib non-free
   deb-src https://secure.dom1.tld/debian unstable main contrib non-free

   deb     https://secure.dom2.tld/debian unstable main contrib non-free
   deb-src https://secure.dom2.tld/debian unstable main contrib non-free

   ...


   Some notes on the servers:

    - secure.dom1.tld is freely accessible using https (no client
      authentication is required).
    - secure.dom1.tld certificate is part of a multi level PKI, and we
      want to specifically check the issuer of its certificate. We do
      not have the constraint for secure.dom2.tld
    - secure.dom2.tld requires client authentication by certificate
      to access its content.
    - The certificate presented by both server have (as expected) a CN that
      matches their respective DNS names.
    - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
      to use them.
    - It sometimes happens that we had other more generic https available
      repository to our list. We want the checks to be performed against
      a common list of anchors (like the one provided by ca-certificates
      package for instance)

   The sample configuration below basically covers those simple needs.
*/


// Verify peer certificate and also matching between certificate name
// and server name as provided in sources.list (default values)
Acquire::https::Verify-Peer "true";
Acquire::https::Verify-Host "true";

// Except otherwise specified, use that list of anchors
Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";

// Use a specific anchor and associated CRL. Enforce issuer of
// server certificate using its cert.
Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";

// Like previous for anchor and CRL, but also provide our
// certificate and keys for client authentication.
Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";

// No need to downgrade, TLS will be proposed by default. Uncomment
// to have SSLv3 proposed.
// Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3";

// No need for more debug if every is fine (default). Uncomment
// me to get additional information.
// Debug::Acquire::https "true";


/*
  Options with extended comments:

  Acquire::https[::repo.domain.tld]::CaInfo  "/path/to/ca/certs.pem";

    A string providing the path of a file containing the list of trusted
    CA certificates used to verify the server certificate. The pointed
    file is made of the concatenation of the CA certificates (in
    PEM format) creating the chain used for the verification of the path
    from the root (self signed one). If the remote server provides the
    whole chain during the exchange, the file need only contain the root
    certificate. Otherwise, the whole chain is required.

    If you need to support multiple authorities, the only way is to
    concatenate everything.

    If None is provided, the default CA bundle used by GnuTLS (apt https
    method is linked against libcurl-gnutls) is used. At the time of
    writing, /etc/ssl/certs/ca-certificates.crt.

    If no specific hostname is provided, the file is used by default
    for all https targets. If a specific mirror is provided, it is
    used for the https entries in the sources.list file that use that
    repository (with the same name).

  Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";

    Like previous knob but for passing the list of CRL files (in PEM
    format) to be used to verify revocation status. Again, if the
    option is defined with no specific mirror (probably makes little
    sense), this CRL information is used for all defined https entries
    in sources.list file. In a mirror specific context, it only applies
    to that mirror.

  Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";

    Allows to constrain the issuer of the server certificate (for all
    https mirrors or a specific one) to a specific issuer. If the
    server certificate has not been issued by this certificate,
    connection fails.

  Acquire::https[::repo.domain.tld]::Verify-Peer "true";

    When authenticating the server, if the certificate verification fails
    for some reason (expired, revoked, man in the middle, lack of anchor,
    ...), the connection fails. This is obviously what you want in all
    cases and what the default value (true) of this option provides.

    If you know EXACTLY what you are doing, setting this option to "false"
    allow you to skip peer certificate verification and make the exchange
    succeed. Again, this option is for debugging or testing purpose only.
    It removes ALL the security provided by the use of SSL.TLS to secure
    the HTTP exchanges.

  Acquire::https[::repo.domain.tld]::Verify-Host "true";

    The certificate provided by the server during the TLS/SSL exchange
    provides the identity of the server which should match the DNS name
    used to access it. By default, as requested by RFC 2818, the name
    of the mirror is checked against the identity found in the
    certificate. This default behavior is safe and should not be
    changed. If you know that the server you are using has a DNS name
    which does not match the identity in its certificate, you can
    [report that issue to its administrator or] set the option to
    "false", which will prevent the comparison to be done.

    The options can be set globally or on a per-mirror basis. If set
    globally, the DNS name used is the one found in the sources.list
    file in the https URI.

  Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem";
  Acquire::https[::repo.domain.tld]::SslKey  "/path/to/client/key.pem";

    These two options provides support for client authentication using
    certificates. They respectively accept the X.509 client certificate
    in PEM format and the associated client key in PEM format (non
    encrypted form).

    The options can be set globally (which rarely makes sense) or on a
    per-mirror basis.

  Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1";

    This option can be use to select the version which will be proposed
    to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is
    considered insecure anyway is not supported (by gnutls, which is
    used by libcurl against which apt https method is linked).

    When the option is set to "SSLv3" to have apt propose SSLv3 (and
    associated sets of ciphersuites) instead of TLSv1 (the default)
    when performing the exchange. This prevents the server to select
    TLSv1 and use associated ciphersuites. You should probably not use
    this option except if you know exactly what you are doing.

    Note that the default setting does not guarantee that the server
    will not select SSLv3 (for ciphersuites and SSL/TLS version as
    selection is always done by the server, in the end). It only means
    that apt will not advertise TLS support.

  Debug::Acquire::https "true";

    This option can be used to show debug information. Because it is
    quite verbose, it is mainly useful to debug problems in case of
    failure to connect to a server for some reason. The default value
    is "false".

*/
Commit	Line	Data
42e9340e MV	1	/* This file is a sample configuration for apt https method. Configuration
	2	parameters found in this example file are expected to be used in main
	3	apt.conf file, just like other configuration parameters for different
	4	methods (ftp, file, ...).
	5
	6	This example file starts with a common setup that voluntarily exhibits
	7	all available configurations knobs with simple comments. Extended
	8	comments on the behavior of the option is provided at the end for
8b35a3ac	9	better readability. As a matter of fact, a common configuration file
42e9340e MV	10	will certainly contain far less elements and benefit of default values
	11	for many parameters.
	12
	13	Because some configuration parameters for apt https method in following
	14	examples apply to specific (fictional) repositories, the associated
	15	sources.list file is provided here:
	16
	17	...
	18
	19	deb https://secure.dom1.tld/debian unstable main contrib non-free
	20	deb-src https://secure.dom1.tld/debian unstable main contrib non-free
	21
	22	deb https://secure.dom2.tld/debian unstable main contrib non-free
	23	deb-src https://secure.dom2.tld/debian unstable main contrib non-free
	24
	25	...
	26
	27
	28	Some notes on the servers:
	29
	30	- secure.dom1.tld is freely accessible using https (no client
	31	authentication is required).
	32	- secure.dom1.tld certificate is part of a multi level PKI, and we
	33	want to specifically check the issuer of its certificate. We do
	34	not have the constraint for secure.dom2.tld
	35	- secure.dom2.tld requires client authentication by certificate
	36	to access its content.
	37	- The certificate presented by both server have (as expected) a CN that
	38	matches their respective DNS names.
46e39c8e MV	39	- We have CRL available for both dom1.tld and dom2.tld PKI, and intend
46e39c8e MV	40	to use them.
8b35a3ac	41	- It sometimes happens that we had other more generic https available
42e9340e MV	42	repository to our list. We want the checks to be performed against
	43	a common list of anchors (like the one provided by ca-certificates
	44	package for instance)
	45
8b35a3ac	46	The sample configuration below basically covers those simple needs.
42e9340e MV	47	*/
	48
	49
	50	// Verify peer certificate and also matching between certificate name
	51	// and server name as provided in sources.list (default values)
	52	Acquire::https::Verify-Peer "true";
	53	Acquire::https::Verify-Host "true";
	54
	55	// Except otherwise specified, use that list of anchors
	56	Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem";
	57
	58	// Use a specific anchor and associated CRL. Enforce issuer of
	59	// server certificate using its cert.
	60	Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
46e39c8e MV	61	Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem";
46e39c8e MV	62	Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
42e9340e MV	63
	64	// Like previous for anchor and CRL, but also provide our
	65	// certificate and keys for client authentication.
	66	Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
46e39c8e	67	Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
42e9340e MV	68	Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
	69	Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
	70
	71	// No need to downgrade, TLS will be proposed by default. Uncomment
	72	// to have SSLv3 proposed.
	73	// Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3";
	74
	75	// No need for more debug if every is fine (default). Uncomment
	76	// me to get additional information.
	77	// Debug::Acquire::https "true";
	78
	79
	80	/*
	81	Options with extended comments:
	82
	83	Acquire::https[::repo.domain.tld]::CaInfo "/path/to/ca/certs.pem";
	84
	85	A string providing the path of a file containing the list of trusted
	86	CA certificates used to verify the server certificate. The pointed
	87	file is made of the concatenation of the CA certificates (in
	88	PEM format) creating the chain used for the verification of the path
	89	from the root (self signed one). If the remote server provides the
	90	whole chain during the exchange, the file need only contain the root
	91	certificate. Otherwise, the whole chain is required.
	92
	93	If you need to support multiple authorities, the only way is to
	94	concatenate everything.
	95
	96	If None is provided, the default CA bundle used by GnuTLS (apt https
	97	method is linked against libcurl-gnutls) is used. At the time of
	98	writing, /etc/ssl/certs/ca-certificates.crt.
	99
	100	If no specific hostname is provided, the file is used by default
	101	for all https targets. If a specific mirror is provided, it is
	102	used for the https entries in the sources.list file that use that
	103	repository (with the same name).
	104
46e39c8e MV	105	Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem";
	106
	107	Like previous knob but for passing the list of CRL files (in PEM
	108	format) to be used to verify revocation status. Again, if the
	109	option is defined with no specific mirror (probably makes little
	110	sense), this CRL information is used for all defined https entries
	111	in sources.list file. In a mirror specific context, it only applies
	112	to that mirror.
	113
	114	Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
	115
	116	Allows to constrain the issuer of the server certificate (for all
	117	https mirrors or a specific one) to a specific issuer. If the
	118	server certificate has not been issued by this certificate,
	119	connection fails.
	120
42e9340e MV	121	Acquire::https[::repo.domain.tld]::Verify-Peer "true";
	122
	123	When authenticating the server, if the certificate verification fails
	124	for some reason (expired, revoked, man in the middle, lack of anchor,
	125	...), the connection fails. This is obviously what you want in all
	126	cases and what the default value (true) of this option provides.
	127
	128	If you know EXACTLY what you are doing, setting this option to "false"
	129	allow you to skip peer certificate verification and make the exchange
	130	succeed. Again, this option is for debugging or testing purpose only.
	131	It removes ALL the security provided by the use of SSL.TLS to secure
	132	the HTTP exchanges.
	133
	134	Acquire::https[::repo.domain.tld]::Verify-Host "true";
	135
	136	The certificate provided by the server during the TLS/SSL exchange
	137	provides the identity of the server which should match the DNS name
	138	used to access it. By default, as requested by RFC 2818, the name
	139	of the mirror is checked against the identity found in the
	140	certificate. This default behavior is safe and should not be
	141	changed. If you know that the server you are using has a DNS name
	142	which does not match the identity in its certificate, you can
	143	[report that issue to its administrator or] set the option to
	144	"false", which will prevent the comparison to be done.
	145
	146	The options can be set globally or on a per-mirror basis. If set
	147	globally, the DNS name used is the one found in the sources.list
	148	file in the https URI.
	149
	150	Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem";
	151	Acquire::https[::repo.domain.tld]::SslKey "/path/to/client/key.pem";
	152
	153	These two options provides support for client authentication using
	154	certificates. They respectively accept the X.509 client certificate
	155	in PEM format and the associated client key in PEM format (non
	156	encrypted form).
	157
	158	The options can be set globally (which rarely makes sense) or on a
	159	per-mirror basis.
	160
	161	Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1";
	162
	163	This option can be use to select the version which will be proposed
	164	to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is
	165	considered insecure anyway is not supported (by gnutls, which is
	166	used by libcurl against which apt https method is linked).
	167
	168	When the option is set to "SSLv3" to have apt propose SSLv3 (and
	169	associated sets of ciphersuites) instead of TLSv1 (the default)
	170	when performing the exchange. This prevents the server to select
8b35a3ac	171	TLSv1 and use associated ciphersuites. You should probably not use
42e9340e MV	172	this option except if you know exactly what you are doing.
	173
	174	Note that the default setting does not guarantee that the server
	175	will not select SSLv3 (for ciphersuites and SSL/TLS version as
8b35a3ac	176	selection is always done by the server, in the end). It only means
42e9340e MV	177	that apt will not advertise TLS support.
	178
	179	Debug::Acquire::https "true";
	180
	181	This option can be used to show debug information. Because it is
	182	quite verbose, it is mainly useful to debug problems in case of
	183	failure to connect to a server for some reason. The default value
	184	is "false".
	185
	186	*/