X-Git-Url: https://git.saurik.com/apt.git/blobdiff_plain/eea6312729b11f6c80c6cec027bbc475a34bb2d1..1eba782fc3c55528a4da14d79e114874b9299453:/doc/examples/apt-https-method-example.conf diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf index 0067171bd..a03766746 100644 --- a/doc/examples/apt-https-method-example.conf +++ b/doc/examples/apt-https-method-example.conf @@ -6,7 +6,7 @@ This example file starts with a common setup that voluntarily exhibits all available configurations knobs with simple comments. Extended comments on the behavior of the option is provided at the end for - better readibility. As a matter of fact, a common configuration file + better readability. As a matter of fact, a common configuration file will certainly contain far less elements and benefit of default values for many parameters. @@ -36,12 +36,14 @@ to access its content. - The certificate presented by both server have (as expected) a CN that matches their respective DNS names. - - It somtimes happens that we had other more generic https available + - We have CRL available for both dom1.tld and dom2.tld PKI, and intend + to use them. + - It sometimes happens that we had other more generic https available repository to our list. We want the checks to be performed against a common list of anchors (like the one provided by ca-certificates package for instance) - The sample configuration below basically covers those simpe needs. + The sample configuration below basically covers those simple needs. */ @@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem"; // Use a specific anchor and associated CRL. Enforce issuer of // server certificate using its cert. Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem"; +Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem"; +Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem"; // Like previous for anchor and CRL, but also provide our // certificate and keys for client authentication. Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem"; +Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem"; Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem"; Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; @@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; used for the https entries in the sources.list file that use that repository (with the same name). + Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem"; + + Like previous knob but for passing the list of CRL files (in PEM + format) to be used to verify revocation status. Again, if the + option is defined with no specific mirror (probably makes little + sense), this CRL information is used for all defined https entries + in sources.list file. In a mirror specific context, it only applies + to that mirror. + + Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem"; + + Allows to constrain the issuer of the server certificate (for all + https mirrors or a specific one) to a specific issuer. If the + server certificate has not been issued by this certificate, + connection fails. + Acquire::https[::repo.domain.tld]::Verify-Peer "true"; When authenticating the server, if the certificate verification fails @@ -147,12 +168,12 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem"; When the option is set to "SSLv3" to have apt propose SSLv3 (and associated sets of ciphersuites) instead of TLSv1 (the default) when performing the exchange. This prevents the server to select - TLSv1 and use associated cipheruites. You should probably not use + TLSv1 and use associated ciphersuites. You should probably not use this option except if you know exactly what you are doing. Note that the default setting does not guarantee that the server will not select SSLv3 (for ciphersuites and SSL/TLS version as - selectio is always done by the server, in the end). It only means + selection is always done by the server, in the end). It only means that apt will not advertise TLS support. Debug::Acquire::https "true";