This example file starts with a common setup that voluntarily exhibits
all available configurations knobs with simple comments. Extended
comments on the behavior of the option is provided at the end for
- better readibility. As a matter of fact, a common configuration file
+ better readability. As a matter of fact, a common configuration file
will certainly contain far less elements and benefit of default values
for many parameters.
to access its content.
- The certificate presented by both server have (as expected) a CN that
matches their respective DNS names.
- - It somtimes happens that we had other more generic https available
+ - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+ to use them.
+ - It sometimes happens that we had other more generic https available
repository to our list. We want the checks to be performed against
a common list of anchors (like the one provided by ca-certificates
package for instance)
- The sample configuration below basically covers those simpe needs.
+ The sample configuration below basically covers those simple needs.
*/
// Use a specific anchor and associated CRL. Enforce issuer of
// server certificate using its cert.
Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
// Like previous for anchor and CRL, but also provide our
// certificate and keys for client authentication.
Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
used for the https entries in the sources.list file that use that
repository (with the same name).
+ Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem";
+
+ Like previous knob but for passing the list of CRL files (in PEM
+ format) to be used to verify revocation status. Again, if the
+ option is defined with no specific mirror (probably makes little
+ sense), this CRL information is used for all defined https entries
+ in sources.list file. In a mirror specific context, it only applies
+ to that mirror.
+
+ Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+ Allows to constrain the issuer of the server certificate (for all
+ https mirrors or a specific one) to a specific issuer. If the
+ server certificate has not been issued by this certificate,
+ connection fails.
+
Acquire::https[::repo.domain.tld]::Verify-Peer "true";
When authenticating the server, if the certificate verification fails
When the option is set to "SSLv3" to have apt propose SSLv3 (and
associated sets of ciphersuites) instead of TLSv1 (the default)
when performing the exchange. This prevents the server to select
- TLSv1 and use associated cipheruites. You should probably not use
+ TLSv1 and use associated ciphersuites. You should probably not use
this option except if you know exactly what you are doing.
Note that the default setting does not guarantee that the server
will not select SSLv3 (for ciphersuites and SSL/TLS version as
- selectio is always done by the server, in the end). It only means
+ selection is always done by the server, in the end). It only means
that apt will not advertise TLS support.
Debug::Acquire::https "true";
projects / apt.git / blobdiff