apt-https-method-example.conf 7.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
  1. /* This file is a sample configuration for apt https method. Configuration
  2. parameters found in this example file are expected to be used in main
  3. apt.conf file, just like other configuration parameters for different
  4. methods (ftp, file, ...).
  5. This example file starts with a common setup that voluntarily exhibits
  6. all available configurations knobs with simple comments. Extended
  7. comments on the behavior of the option is provided at the end for
  8. better readibility. As a matter of fact, a common configuration file
  9. will certainly contain far less elements and benefit of default values
  10. for many parameters.
  11. Because some configuration parameters for apt https method in following
  12. examples apply to specific (fictional) repositories, the associated
  13. sources.list file is provided here:
  14. ...
  15. deb https://secure.dom1.tld/debian unstable main contrib non-free
  16. deb-src https://secure.dom1.tld/debian unstable main contrib non-free
  17. deb https://secure.dom2.tld/debian unstable main contrib non-free
  18. deb-src https://secure.dom2.tld/debian unstable main contrib non-free
  19. ...
  20. Some notes on the servers:
  21. - secure.dom1.tld is freely accessible using https (no client
  22. authentication is required).
  23. - secure.dom1.tld certificate is part of a multi level PKI, and we
  24. want to specifically check the issuer of its certificate. We do
  25. not have the constraint for secure.dom2.tld
  26. - secure.dom2.tld requires client authentication by certificate
  27. to access its content.
  28. - The certificate presented by both server have (as expected) a CN that
  29. matches their respective DNS names.
  30. - It somtimes happens that we had other more generic https available
  31. repository to our list. We want the checks to be performed against
  32. a common list of anchors (like the one provided by ca-certificates
  33. package for instance)
  34. The sample configuration below basically covers those simpe needs.
  35. */
  36. // Verify peer certificate and also matching between certificate name
  37. // and server name as provided in sources.list (default values)
  38. Acquire::https::Verify-Peer "true";
  39. Acquire::https::Verify-Host "true";
  40. // Except otherwise specified, use that list of anchors
  41. Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem";
  42. // Use a specific anchor and associated CRL. Enforce issuer of
  43. // server certificate using its cert.
  44. Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
  45. // Like previous for anchor and CRL, but also provide our
  46. // certificate and keys for client authentication.
  47. Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
  48. Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
  49. Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
  50. // No need to downgrade, TLS will be proposed by default. Uncomment
  51. // to have SSLv3 proposed.
  52. // Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3";
  53. // No need for more debug if every is fine (default). Uncomment
  54. // me to get additional information.
  55. // Debug::Acquire::https "true";
  56. /*
  57. Options with extended comments:
  58. Acquire::https[::repo.domain.tld]::CaInfo "/path/to/ca/certs.pem";
  59. A string providing the path of a file containing the list of trusted
  60. CA certificates used to verify the server certificate. The pointed
  61. file is made of the concatenation of the CA certificates (in
  62. PEM format) creating the chain used for the verification of the path
  63. from the root (self signed one). If the remote server provides the
  64. whole chain during the exchange, the file need only contain the root
  65. certificate. Otherwise, the whole chain is required.
  66. If you need to support multiple authorities, the only way is to
  67. concatenate everything.
  68. If None is provided, the default CA bundle used by GnuTLS (apt https
  69. method is linked against libcurl-gnutls) is used. At the time of
  70. writing, /etc/ssl/certs/ca-certificates.crt.
  71. If no specific hostname is provided, the file is used by default
  72. for all https targets. If a specific mirror is provided, it is
  73. used for the https entries in the sources.list file that use that
  74. repository (with the same name).
  75. Acquire::https[::repo.domain.tld]::Verify-Peer "true";
  76. When authenticating the server, if the certificate verification fails
  77. for some reason (expired, revoked, man in the middle, lack of anchor,
  78. ...), the connection fails. This is obviously what you want in all
  79. cases and what the default value (true) of this option provides.
  80. If you know EXACTLY what you are doing, setting this option to "false"
  81. allow you to skip peer certificate verification and make the exchange
  82. succeed. Again, this option is for debugging or testing purpose only.
  83. It removes ALL the security provided by the use of SSL.TLS to secure
  84. the HTTP exchanges.
  85. Acquire::https[::repo.domain.tld]::Verify-Host "true";
  86. The certificate provided by the server during the TLS/SSL exchange
  87. provides the identity of the server which should match the DNS name
  88. used to access it. By default, as requested by RFC 2818, the name
  89. of the mirror is checked against the identity found in the
  90. certificate. This default behavior is safe and should not be
  91. changed. If you know that the server you are using has a DNS name
  92. which does not match the identity in its certificate, you can
  93. [report that issue to its administrator or] set the option to
  94. "false", which will prevent the comparison to be done.
  95. The options can be set globally or on a per-mirror basis. If set
  96. globally, the DNS name used is the one found in the sources.list
  97. file in the https URI.
  98. Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem";
  99. Acquire::https[::repo.domain.tld]::SslKey "/path/to/client/key.pem";
  100. These two options provides support for client authentication using
  101. certificates. They respectively accept the X.509 client certificate
  102. in PEM format and the associated client key in PEM format (non
  103. encrypted form).
  104. The options can be set globally (which rarely makes sense) or on a
  105. per-mirror basis.
  106. Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1";
  107. This option can be use to select the version which will be proposed
  108. to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is
  109. considered insecure anyway is not supported (by gnutls, which is
  110. used by libcurl against which apt https method is linked).
  111. When the option is set to "SSLv3" to have apt propose SSLv3 (and
  112. associated sets of ciphersuites) instead of TLSv1 (the default)
  113. when performing the exchange. This prevents the server to select
  114. TLSv1 and use associated cipheruites. You should probably not use
  115. this option except if you know exactly what you are doing.
  116. Note that the default setting does not guarantee that the server
  117. will not select SSLv3 (for ciphersuites and SSL/TLS version as
  118. selectio is always done by the server, in the end). It only means
  119. that apt will not advertise TLS support.
  120. Debug::Acquire::https "true";
  121. This option can be used to show debug information. Because it is
  122. quite verbose, it is mainly useful to debug problems in case of
  123. failure to connect to a server for some reason. The default value
  124. is "false".
  125. */