fix testcase framework to test correctly for virtual packages

[apt.git] / doc / examples / apt-https-method-example.conf

diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf
index 0067171bdefeefda829867edf17cccd832a5aa2c..cc788904497a35ee12f3f1332a048f663c8cb72d 100644 (file)
--- a/doc/examples/apt-https-method-example.conf
+++ b/doc/examples/apt-https-method-example.conf
@@ -36,6 +36,8 @@
       to access its content.
     - The certificate presented by both server have (as expected) a CN that
       matches their respective DNS names.
       to access its content.
     - The certificate presented by both server have (as expected) a CN that
       matches their respective DNS names.

+    - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+      to use them.

     - It somtimes happens that we had other more generic https available
       repository to our list. We want the checks to be performed against
       a common list of anchors (like the one provided by ca-certificates
     - It somtimes happens that we had other more generic https available
       repository to our list. We want the checks to be performed against
       a common list of anchors (like the one provided by ca-certificates


@@ -56,10 +58,13 @@ Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";
 // Use a specific anchor and associated CRL. Enforce issuer of
 // server certificate using its cert.
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
 // Use a specific anchor and associated CRL. Enforce issuer of
 // server certificate using its cert.
 Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";

+Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";

 
 // Like previous for anchor and CRL, but also provide our
 // certificate and keys for client authentication.
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
 
 // Like previous for anchor and CRL, but also provide our
 // certificate and keys for client authentication.
 Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";

+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";

 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 
 Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
 Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
 


@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
     used for the https entries in the sources.list file that use that
     repository (with the same name).
 
     used for the https entries in the sources.list file that use that
     repository (with the same name).
 

+  Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";
+
+    Like previous knob but for passing the list of CRL files (in PEM
+    format) to be used to verify revocation status. Again, if the
+    option is defined with no specific mirror (probably makes little
+    sense), this CRL information is used for all defined https entries
+    in sources.list file. In a mirror specific context, it only applies
+    to that mirror.
+
+  Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+    Allows to constrain the issuer of the server certificate (for all
+    https mirrors or a specific one) to a specific issuer. If the
+    server certificate has not been issued by this certificate,
+    connection fails.
+

   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
 
     When authenticating the server, if the certificate verification fails
   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
 
     When authenticating the server, if the certificate verification fails