Features Download
From: Arnaud Ebalard <arno <at> natisbad.org>
Subject: [PATCH] APT https method improvements
Newsgroups: gmane.linux.debian.apt.devel
Date: Monday 2nd June 2008 16:35:32 UTC (over 9 years ago)

Attached is a set of simple patches for apt https method developed by
Axel and I. They add client authentication, CRL handling, and ability to
check issuer, and also some other things that are described in detail

Note that this post is more a request for comments and preliminary code
review (for instance w.r.t documentation patch) for the follwing reason:
Because support for CRL handling and issuer check were missing 
in the underlying library (libcurl-gnutls), we submitted [1] a set of
patches to curl developers providing those functionalitie. They were
accepted but came during a freeze window and will only be in 7.18.3 (see
[2]). For that reason, we thought we would request your comments in the
meantime for apt patches.

The patches have been tested (different combinations for options,
revoked CRL, missing CA certificates, bad server name, ...). 

The 3 patches are commented below. They apply in that order on top of
0.7.14 (0.7.13 too).


  The patch modifies methods/https.cc and adds support for client
  authentication. It allows user to configure a client certificate and
  associated key (previously, a single knob was available that used an
  undocumented behavior of libcurl-gnutls) to authenticate to a
  mirror. This can be done for all https mirrors or on a per-mirror
  The patch also *changes* how apt handles verify-host by setting it to
  true by default and make verify-peer a boolean. The changes to those
  two knobs' default values make the use of SSL/TLS meaningful: 
   - server certificate is verified and connection fails if it is
     invalid. This is the expected behavior. User has to explicitly set
     it to false (on a global or per mirror basis) to deactivate the
   - identity provided in certificate is checked against server name. If
     they do not match, connection fails by default. Again, this is the
     expected behavior and user has to explicitly set it to false to
     deactivate the check (on a global or per mirror basis).
  I decided not to open a ticket against current behavior (not
  documented anyway) and discuss it here before.
  The last addition provided by this patch is the ability to force the
  version advertised by the client (SSLv3 or TLSv1). Again, on a global
  or per mirror basis. 
  Note that this patch is already usable without the improvements we
  pushed to curl developers (i.e. against current libcurl-gnutls).
  This patch adds support for:
   - CRL check: user can pass a list of CRL that will be used to verify
     server certificate. This can be done on a global or per mirror
     basis. If none is provided, no CRL check is done.
   - issuer check: in multi-level PKI, this can be useful to limit the
     servers to a specific branch of the tree. The option allows to do
     that by specifying the issuer certificate. Even if the common
     certificate validation is done (anchors, CRL, ...), the additional
     check is done.
  Both can be set on a global or per-mirror basis.
  This provides a sample configuration file that details previous
  functionalities discussed before. We decided to use this format
  because it is simple, and we did not find an existing man page that we
  could improve. Tell us if this should be done differently.



[1]: http://permalink.gmane.org/gmane.comp.web.curl.library/19221
[2]: http://permalink.gmane.org/gmane.comp.web.curl.library/19244
CD: 4ms