Home Explore Help
Sign In
NitoTV
/
apt
Watch 2
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
apt
/
doc
/
examples
/
apt-https-method-example.conf

apt-https-method-example.conf 8.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187 
  1. /* This file is a sample configuration for apt https method. Configuration
    2. 

  2.    parameters found in this example file are expected to be used in main
    3. 

  3.    apt.conf file, just like other configuration parameters for different
    4. 

  4.    methods (ftp, file, ...).
    5. 

  5. 

  6.    This example file starts with a common setup that voluntarily exhibits
    7. 

  7.    all available configurations knobs with simple comments. Extended
    8. 

  8.    comments on the behavior of the option is provided at the end for
    9. 

  9.    better readability. As a matter of fact, a common configuration file
    10. 

  10.    will certainly contain far less elements and benefit of default values
    11. 

  11.    for many parameters.
    12. 

  12. 

  13.    Because some configuration parameters for apt https method in following
    14. 

  14.    examples apply to specific (fictional) repositories, the associated
    15. 

  15.    sources.list file is provided here:
    16. 

  16. 

  17.    ...
    18. 

  18. 

  19.    deb     https://secure.dom1.tld/debian unstable main contrib non-free
    20. 

  20.    deb-src https://secure.dom1.tld/debian unstable main contrib non-free
    21. 

  21. 

  22.    deb     https://secure.dom2.tld/debian unstable main contrib non-free
    23. 

  23.    deb-src https://secure.dom2.tld/debian unstable main contrib non-free
    24. 

  24. 

  25.    ...
    26. 

  26. 

  27. 

  28.    Some notes on the servers:
    29. 

  29. 

  30.     - secure.dom1.tld is freely accessible using https (no client
    31. 

  31.       authentication is required).
    32. 

  32.     - secure.dom1.tld certificate is part of a multi level PKI, and we
    33. 

  33.       want to specifically check the issuer of its certificate. We do
    34. 

  34.       not have the constraint for secure.dom2.tld
    35. 

  35.     - secure.dom2.tld requires client authentication by certificate
    36. 

  36.       to access its content.
    37. 

  37.     - The certificate presented by both server have (as expected) a CN that
    38. 

  38.       matches their respective DNS names.
    39. 

  39.     - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
    40. 

  40.       to use them.
    41. 

  41.     - It sometimes happens that we had other more generic https available
    42. 

  42.       repository to our list. We want the checks to be performed against
    43. 

  43.       a common list of anchors (like the one provided by ca-certificates
    44. 

  44.       package for instance)
    45. 

  45. 

  46.    The sample configuration below basically covers those simple needs.
    47. 

  47. */
    48. 

  48. 

  49. 

  50. // Verify peer certificate and also matching between certificate name
    51. 

  51. // and server name as provided in sources.list (default values)
    52. 

  52. Acquire::https::Verify-Peer "true";
    53. 

  53. Acquire::https::Verify-Host "true";
    54. 

  54. 

  55. // Except otherwise specified, use that list of anchors
    56. 

  56. Acquire::https::CaInfo     "/etc/ssl/certs/ca-certificates.pem";
    57. 

  57. 

  58. // Use a specific anchor and associated CRL. Enforce issuer of
    59. 

  59. // server certificate using its cert.
    60. 

  60. Acquire::https::secure.dom1.tld::CaInfo     "/etc/apt/certs/ca-dom1-crt.pem";
    61. 

  61. Acquire::https::secure.dom1.tld::CrlFile    "/etc/apt/certs/ca-dom1-crl.pem";
    62. 

  62. Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
    63. 

  63. 

  64. // Like previous for anchor and CRL, but also provide our
    65. 

  65. // certificate and keys for client authentication.
    66. 

  66. Acquire::https::secure.dom2.tld::CaInfo  "/etc/apt/certs/ca-dom2-crt.pem";
    67. 

  67. Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
    68. 

  68. Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
    69. 

  69. Acquire::https::secure.dom2.tld::SslKey  "/etc/apt/certs/my-key.pem";
    70. 

  70. 

  71. // No need to downgrade, TLS will be proposed by default. Uncomment
    72. 

  72. // to have SSLv3 proposed.
    73. 

  73. // Acquire::https::mirror.ipv6.ssi.corp::SslForceVersion "SSLv3";
    74. 

  74. 

  75. // No need for more debug if every is fine (default). Uncomment
    76. 

  76. // me to get additional information.
    77. 

  77. // Debug::Acquire::https "true";
    78. 

  78. 

  79. 

  80. /*
    81. 

  81.   Options with extended comments:
    82. 

  82. 

  83.   Acquire::https[::repo.domain.tld]::CaInfo  "/path/to/ca/certs.pem";
    84. 

  84. 

  85.     A string providing the path of a file containing the list of trusted
    86. 

  86.     CA certificates used to verify the server certificate. The pointed
    87. 

  87.     file is made of the concatenation of the CA certificates (in
    88. 

  88.     PEM format) creating the chain used for the verification of the path
    89. 

  89.     from the root (self signed one). If the remote server provides the
    90. 

  90.     whole chain during the exchange, the file need only contain the root
    91. 

  91.     certificate. Otherwise, the whole chain is required.
    92. 

  92. 

  93.     If you need to support multiple authorities, the only way is to
    94. 

  94.     concatenate everything.
    95. 

  95. 

  96.     If None is provided, the default CA bundle used by GnuTLS (apt https
    97. 

  97.     method is linked against libcurl-gnutls) is used. At the time of
    98. 

  98.     writing, /etc/ssl/certs/ca-certificates.crt.
    99. 

  99. 

  100.     If no specific hostname is provided, the file is used by default
    101. 

  101.     for all https targets. If a specific mirror is provided, it is
    102. 

  102.     used for the https entries in the sources.list file that use that
    103. 

  103.     repository (with the same name).
    104. 

  104. 

  105.   Acquire::https[::repo.domain.tld]::CrlFile  "/path/to/all/crl.pem";
    106. 

  106. 

  107.     Like previous knob but for passing the list of CRL files (in PEM
    108. 

  108.     format) to be used to verify revocation status. Again, if the
    109. 

  109.     option is defined with no specific mirror (probably makes little
    110. 

  110.     sense), this CRL information is used for all defined https entries
    111. 

  111.     in sources.list file. In a mirror specific context, it only applies
    112. 

  112.     to that mirror.
    113. 

  113. 

  114.   Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
    115. 

  115. 

  116.     Allows to constrain the issuer of the server certificate (for all
    117. 

  117.     https mirrors or a specific one) to a specific issuer. If the
    118. 

  118.     server certificate has not been issued by this certificate,
    119. 

  119.     connection fails.
    120. 

  120. 

  121.   Acquire::https[::repo.domain.tld]::Verify-Peer "true";
    122. 

  122. 

  123.     When authenticating the server, if the certificate verification fails
    124. 

  124.     for some reason (expired, revoked, man in the middle, lack of anchor,
    125. 

  125.     ...), the connection fails. This is obviously what you want in all
    126. 

  126.     cases and what the default value (true) of this option provides.
    127. 

  127. 

  128.     If you know EXACTLY what you are doing, setting this option to "false"
    129. 

  129.     allow you to skip peer certificate verification and make the exchange
    130. 

  130.     succeed. Again, this option is for debugging or testing purpose only.
    131. 

  131.     It removes ALL the security provided by the use of SSL.TLS to secure
    132. 

  132.     the HTTP exchanges.
    133. 

  133. 

  134.   Acquire::https[::repo.domain.tld]::Verify-Host "true";
    135. 

  135. 

  136.     The certificate provided by the server during the TLS/SSL exchange
    137. 

  137.     provides the identity of the server which should match the DNS name
    138. 

  138.     used to access it. By default, as requested by RFC 2818, the name
    139. 

  139.     of the mirror is checked against the identity found in the
    140. 

  140.     certificate. This default behavior is safe and should not be
    141. 

  141.     changed. If you know that the server you are using has a DNS name
    142. 

  142.     which does not match the identity in its certificate, you can
    143. 

  143.     [report that issue to its administrator or] set the option to
    144. 

  144.     "false", which will prevent the comparison to be done.
    145. 

  145. 

  146.     The options can be set globally or on a per-mirror basis. If set
    147. 

  147.     globally, the DNS name used is the one found in the sources.list
    148. 

  148.     file in the https URI.
    149. 

  149. 

  150.   Acquire::https[::repo.domain.tld]::SslCert "/path/to/client/cert.pem";
    151. 

  151.   Acquire::https[::repo.domain.tld]::SslKey  "/path/to/client/key.pem";
    152. 

  152. 

  153.     These two options provides support for client authentication using
    154. 

  154.     certificates. They respectively accept the X.509 client certificate
    155. 

  155.     in PEM format and the associated client key in PEM format (non
    156. 

  156.     encrypted form).
    157. 

  157. 

  158.     The options can be set globally (which rarely makes sense) or on a
    159. 

  159.     per-mirror basis.
    160. 

  160. 

  161.   Acquire::https[::repo.domain.tld]::SslForceVersion "TLSv1";
    162. 

  162. 

  163.     This option can be use to select the version which will be proposed
    164. 

  164.     to the server. "SSLv3" and "TLSv1" are supported. SSLv2, which is
    165. 

  165.     considered insecure anyway is not supported (by gnutls, which is
    166. 

  166.     used by libcurl against which apt https method is linked).
    167. 

  167. 

  168.     When the option is set to "SSLv3" to have apt propose SSLv3 (and
    169. 

  169.     associated sets of ciphersuites) instead of TLSv1 (the default)
    170. 

  170.     when performing the exchange. This prevents the server to select
    171. 

  171.     TLSv1 and use associated ciphersuites. You should probably not use
    172. 

  172.     this option except if you know exactly what you are doing.
    173. 

  173. 

  174.     Note that the default setting does not guarantee that the server
    175. 

  175.     will not select SSLv3 (for ciphersuites and SSL/TLS version as
    176. 

  176.     selection is always done by the server, in the end). It only means
    177. 

  177.     that apt will not advertise TLS support.
    178. 

  178. 

  179.   Debug::Acquire::https "true";
    180. 

  180. 

  181.     This option can be used to show debug information. Because it is
    182. 

  182.     quite verbose, it is mainly useful to debug problems in case of
    183. 

  183.     failure to connect to a server for some reason. The default value
    184. 

  184.     is "false".
    185. 

  185. 

  186. */
    187. 

  187.