X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/51f9f4d78deabf54dbbb6881139d2b1a319ffbfc..9d3cce03f50b6a2d361d3e5c9f1475bccb13775e:/methods/https.cc diff --git a/methods/https.cc b/methods/https.cc index 5d8e63f47..fc649d6c2 100644 --- a/methods/https.cc +++ b/methods/https.cc @@ -133,7 +133,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm) string cainfo = _config->Find("Acquire::https::CaInfo",""); string knob = "Acquire::https::"+remotehost+"::CaInfo"; cainfo = _config->Find(knob.c_str(),cainfo.c_str()); - if(cainfo != "") + if(cainfo.empty() == false) curl_easy_setopt(curl, CURLOPT_CAINFO,cainfo.c_str()); // Check server certificate against previous CA list ... @@ -143,26 +143,31 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, peer_verify); // ... and hostname against cert CN or subjectAltName - int default_verify = 2; bool verify = _config->FindB("Acquire::https::Verify-Host",true); knob = "Acquire::https::"+remotehost+"::Verify-Host"; verify = _config->FindB(knob.c_str(),verify); - if (!verify) - default_verify = 0; - curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, verify); + int const default_verify = (verify == true) ? 2 : 0; + curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, default_verify); + + // Also enforce issuer of server certificate using its cert + string issuercert = _config->Find("Acquire::https::IssuerCert",""); + knob = "Acquire::https::"+remotehost+"::IssuerCert"; + issuercert = _config->Find(knob.c_str(),issuercert.c_str()); + if(issuercert.empty() == false) + curl_easy_setopt(curl, CURLOPT_ISSUERCERT,issuercert.c_str()); // For client authentication, certificate file ... string pem = _config->Find("Acquire::https::SslCert",""); knob = "Acquire::https::"+remotehost+"::SslCert"; pem = _config->Find(knob.c_str(),pem.c_str()); - if(pem != "") + if(pem.empty() == false) curl_easy_setopt(curl, CURLOPT_SSLCERT, pem.c_str()); // ... and associated key. string key = _config->Find("Acquire::https::SslKey",""); knob = "Acquire::https::"+remotehost+"::SslKey"; key = _config->Find(knob.c_str(),key.c_str()); - if(key != "") + if(key.empty() == false) curl_easy_setopt(curl, CURLOPT_SSLKEY, key.c_str()); // Allow forcing SSL version to SSLv3 or TLSv1 (SSLv2 is not @@ -177,6 +182,13 @@ bool HttpsMethod::Fetch(FetchItem *Itm) final_version = CURL_SSLVERSION_SSLv3; curl_easy_setopt(curl, CURLOPT_SSLVERSION, final_version); + // CRL file + string crlfile = _config->Find("Acquire::https::CrlFile",""); + knob = "Acquire::https::"+remotehost+"::CrlFile"; + crlfile = _config->Find(knob.c_str(),crlfile.c_str()); + if(crlfile.empty() == false) + curl_easy_setopt(curl, CURLOPT_CRLFILE, crlfile.c_str()); + // cache-control if(_config->FindB("Acquire::https::No-Cache", _config->FindB("Acquire::http::No-Cache",false)) == false) @@ -196,7 +208,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); // speed limit - int dlLimit = _config->FindI("Acquire::https::Dl-Limit", + int const dlLimit = _config->FindI("Acquire::https::Dl-Limit", _config->FindI("Acquire::http::Dl-Limit",0))*1024; if (dlLimit > 0) curl_easy_setopt(curl, CURLOPT_MAX_RECV_SPEED_LARGE, dlLimit); @@ -208,7 +220,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm) "Debian APT-CURL/1.0 ("VERSION")").c_str()).c_str()); // set timeout - int timeout = _config->FindI("Acquire::https::Timeout", + int const timeout = _config->FindI("Acquire::https::Timeout", _config->FindI("Acquire::http::Timeout",120)); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, timeout); //set really low lowspeed timeout (see #497983) @@ -216,7 +228,7 @@ bool HttpsMethod::Fetch(FetchItem *Itm) curl_easy_setopt(curl, CURLOPT_LOW_SPEED_TIME, timeout); // set redirect options and default to 10 redirects - bool AllowRedirect = _config->FindB("Acquire::https::AllowRedirect", + bool const AllowRedirect = _config->FindB("Acquire::https::AllowRedirect", _config->FindB("Acquire::http::AllowRedirect",true)); curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, AllowRedirect); curl_easy_setopt(curl, CURLOPT_MAXREDIRS, 10);