|
|
@@ -36,6 +36,8 @@
|
|
|
to access its content.
|
|
|
- The certificate presented by both server have (as expected) a CN that
|
|
|
matches their respective DNS names.
|
|
|
+ - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
|
|
|
+ to use them.
|
|
|
- It somtimes happens that we had other more generic https available
|
|
|
repository to our list. We want the checks to be performed against
|
|
|
a common list of anchors (like the one provided by ca-certificates
|
|
|
@@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem";
|
|
|
// Use a specific anchor and associated CRL. Enforce issuer of
|
|
|
// server certificate using its cert.
|
|
|
Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
|
|
|
+Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem";
|
|
|
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
|
|
|
|
|
|
// Like previous for anchor and CRL, but also provide our
|
|
|
// certificate and keys for client authentication.
|
|
|
Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
|
|
|
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
|
|
|
Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
|
|
|
Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
|
|
|
|
|
|
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
|
|
|
used for the https entries in the sources.list file that use that
|
|
|
repository (with the same name).
|
|
|
|
|
|
+ Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem";
|
|
|
+
|
|
|
+ Like previous knob but for passing the list of CRL files (in PEM
|
|
|
+ format) to be used to verify revocation status. Again, if the
|
|
|
+ option is defined with no specific mirror (probably makes little
|
|
|
+ sense), this CRL information is used for all defined https entries
|
|
|
+ in sources.list file. In a mirror specific context, it only applies
|
|
|
+ to that mirror.
|
|
|
+
|
|
|
+ Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
|
|
|
+
|
|
|
+ Allows to constrain the issuer of the server certificate (for all
|
|
|
+ https mirrors or a specific one) to a specific issuer. If the
|
|
|
+ server certificate has not been issued by this certificate,
|
|
|
+ connection fails.
|
|
|
+
|
|
|
Acquire::https[::repo.domain.tld]::Verify-Peer "true";
|
|
|
|
|
|
When authenticating the server, if the certificate verification fails
|