summaryrefslogtreecommitdiff
path: root/methods/connect.cc
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2021-09-13 00:54:38 +0200
committerDavid Kalnischkies <david@kalnischkies.de>2021-09-13 16:09:19 +0200
commit4e04cbafe7db326b52ee650a4f4ccc3444da6890 (patch)
tree8dd2e43cfa4f8a44ff8480b9ab456ced0dee3e81 /methods/connect.cc
parent2b0369a5d1673d9e40f2af4db7677b040a26ee58 (diff)
Use https config on https proxies for http servers
The settings used for unwrapping TLS connections depend on the access and hostname we connect to more than what we eventually unwrap. The bugreport mentions CaInfo, but all other https-settings should also apply (regardless of generic or hostname specific) to an https proxy, even if the connection we proxy through it is http-only. Closes: #990555
Diffstat (limited to 'methods/connect.cc')
-rw-r--r--methods/connect.cc19
1 files changed, 10 insertions, 9 deletions
diff --git a/methods/connect.cc b/methods/connect.cc
index 044984403..bc2fe1de5 100644
--- a/methods/connect.cc
+++ b/methods/connect.cc
@@ -894,7 +894,8 @@ struct TlsFd : public MethodFd
};
ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
- unsigned long Timeout, aptMethod *Owner)
+ unsigned long const Timeout, aptMethod * const Owner,
+ aptConfigWrapperForMethods const * const OwnerConf)
{
if (_config->FindB("Acquire::AllowTLS", true) == false)
{
@@ -940,7 +941,7 @@ ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
}
// Credential setup
- std::string fileinfo = Owner->ConfigFind("CaInfo", "");
+ std::string fileinfo = OwnerConf->ConfigFind("CaInfo", "");
if (fileinfo.empty())
{
// No CaInfo specified, use system trust store.
@@ -965,20 +966,20 @@ ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
}
}
- if (!Owner->ConfigFind("IssuerCert", "").empty())
+ if (not OwnerConf->ConfigFind("IssuerCert", "").empty())
{
_error->Error("The option '%s' is not supported anymore", "IssuerCert");
return ResultState::FATAL_ERROR;
}
- if (!Owner->ConfigFind("SslForceVersion", "").empty())
+ if (not OwnerConf->ConfigFind("SslForceVersion", "").empty())
{
_error->Error("The option '%s' is not supported anymore", "SslForceVersion");
return ResultState::FATAL_ERROR;
}
// For client authentication, certificate file ...
- std::string const cert = Owner->ConfigFind("SslCert", "");
- std::string const key = Owner->ConfigFind("SslKey", "");
+ std::string const cert = OwnerConf->ConfigFind("SslCert", "");
+ std::string const key = OwnerConf->ConfigFind("SslKey", "");
if (cert.empty() == false)
{
if ((err = gnutls_certificate_set_x509_key_file(
@@ -993,7 +994,7 @@ ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
}
// CRL file
- std::string const crlfile = Owner->ConfigFind("CrlFile", "");
+ std::string const crlfile = OwnerConf->ConfigFind("CrlFile", "");
if (crlfile.empty() == false)
{
if ((err = gnutls_certificate_set_x509_crl_file(tlsFd->credentials,
@@ -1017,9 +1018,9 @@ ResultState UnwrapTLS(std::string const &Host, std::unique_ptr<MethodFd> &Fd,
return ResultState::FATAL_ERROR;
}
- if (Owner->ConfigFindB("Verify-Peer", true))
+ if (OwnerConf->ConfigFindB("Verify-Peer", true))
{
- gnutls_session_set_verify_cert(tlsFd->session, Owner->ConfigFindB("Verify-Host", true) ? tlsFd->hostname.c_str() : nullptr, 0);
+ gnutls_session_set_verify_cert(tlsFd->session, OwnerConf->ConfigFindB("Verify-Host", true) ? tlsFd->hostname.c_str() : nullptr, 0);
}
// set SNI only if the hostname is really a name and not an address