summaryrefslogtreecommitdiff
path: root/doc/examples/apt-https-method-example.conf
diff options
context:
space:
mode:
authorMichael Vogt <michael.vogt@ubuntu.com>2010-01-08 22:28:49 +0100
committerMichael Vogt <michael.vogt@ubuntu.com>2010-01-08 22:28:49 +0100
commit46e39c8e14dc98045107cfb38af8cecb8a4773b0 (patch)
treefc51ea417acab91f22e968f1fe7e5e0eb1a23b56 /doc/examples/apt-https-method-example.conf
parent48b78442a60faf567390eab4372fe3e06c183e73 (diff)
* French manpage translation update
* spot & fix various typos in all manpages * German manpage translation update * cmdline/apt-cache.cc: - remove translatable marker from the "%4i %s\n" string * buildlib/po4a_manpage.mak: - instruct debiandoc to build files with utf-8 encoding * buildlib/tools.m4: - fix some warning from the buildtools * apt-pkg/acquire-item.cc: - add configuration PDiffs::Limit-options to not download too many or too big patches (Closes: #554349) * debian/control: - let all packages depend on ${misc:Depends} * share/*-archive.gpg: - remove the horrible outdated files. We already depend on the keyring so we don't need to ship our own version * cmdline/apt-key: - errors out if wget is not installed (Closes: #545754) - add --keyring option as we have now possibly many * methods/gpgv.cc: - pass all keyrings (TrustedParts) to gpgv instead of using only one trusted.gpg keyring (Closes: #304846) * methods/https.cc: - finally merge the rest of the patchset from Arnaud Ebalard with the CRL and Issuers options, thanks! (Closes: #485963)
Diffstat (limited to 'doc/examples/apt-https-method-example.conf')
-rw-r--r--doc/examples/apt-https-method-example.conf21
1 files changed, 21 insertions, 0 deletions
diff --git a/doc/examples/apt-https-method-example.conf b/doc/examples/apt-https-method-example.conf
index 0067171bd..cc7889044 100644
--- a/doc/examples/apt-https-method-example.conf
+++ b/doc/examples/apt-https-method-example.conf
@@ -36,6 +36,8 @@
to access its content.
- The certificate presented by both server have (as expected) a CN that
matches their respective DNS names.
+ - We have CRL available for both dom1.tld and dom2.tld PKI, and intend
+ to use them.
- It somtimes happens that we had other more generic https available
repository to our list. We want the checks to be performed against
a common list of anchors (like the one provided by ca-certificates
@@ -56,10 +58,13 @@ Acquire::https::CaInfo "/etc/ssl/certs/ca-certificates.pem";
// Use a specific anchor and associated CRL. Enforce issuer of
// server certificate using its cert.
Acquire::https::secure.dom1.tld::CaInfo "/etc/apt/certs/ca-dom1-crt.pem";
+Acquire::https::secure.dom1.tld::CrlFile "/etc/apt/certs/ca-dom1-crl.pem";
+Acquire::https::secure.dom1.tld::IssuerCert "/etc/apt/certs/secure.dom1-issuer-crt.pem";
// Like previous for anchor and CRL, but also provide our
// certificate and keys for client authentication.
Acquire::https::secure.dom2.tld::CaInfo "/etc/apt/certs/ca-dom2-crt.pem";
+Acquire::https::secure.dom2.tld::CrlFile "/etc/apt/certs/ca-dom2-crl.pem";
Acquire::https::secure.dom2.tld::SslCert "/etc/apt/certs/my-crt.pem";
Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
@@ -97,6 +102,22 @@ Acquire::https::secure.dom2.tld::SslKey "/etc/apt/certs/my-key.pem";
used for the https entries in the sources.list file that use that
repository (with the same name).
+ Acquire::https[::repo.domain.tld]::CrlFile "/path/to/all/crl.pem";
+
+ Like previous knob but for passing the list of CRL files (in PEM
+ format) to be used to verify revocation status. Again, if the
+ option is defined with no specific mirror (probably makes little
+ sense), this CRL information is used for all defined https entries
+ in sources.list file. In a mirror specific context, it only applies
+ to that mirror.
+
+ Acquire::https[::repo.domain.tld]::IssuerCert "/path/to/issuer/cert.pem";
+
+ Allows to constrain the issuer of the server certificate (for all
+ https mirrors or a specific one) to a specific issuer. If the
+ server certificate has not been issued by this certificate,
+ connection fails.
+
Acquire::https[::repo.domain.tld]::Verify-Peer "true";
When authenticating the server, if the certificate verification fails