Bug#485960: APT https method does not verify peer certificate by default

To: <submit@bugs.debian.org>
Subject: Bug#485960: APT https method does not verify peer certificate by default
From: arno@natisbad.org (Arnaud Ebalard)
Date: Thu, 12 Jun 2008 18:32:09 +0200
Message-id: <[🔎] 87hcbybomu.fsf@natisbad.org>
Reply-to: arno@natisbad.org (Arnaud Ebalard), 485960@bugs.debian.org

Package: apt
Version: 0.7.14
Severity: normal

By default, APT https method does not check server certificate, but only
that the identity in the certificate does match the server name. From a
security standpoint (even if list of packages can otherwise be signed,
this might not be the case), this makes https useless without explicitly
setting the (undocumented) option to true.

I already sent some comments and a set of patches that fixes the issue
(and others) for discussions, directly to deity@lists.debian.org, but
got not reply:

http://permalink.gmane.org/gmane.linux.debian.apt.devel/14771

I decided to file a bug report. Is that the correct way to handle that.

Cheers,

a+

Attachment: pgpdx6x4419eU.pgp
Description: PGP signature

Reply to:

Prev by Date: Bug#485943: apt-get dist-upgrade wants to install recommends of installed packages
Next by Date: Bug#485963: APT https method has no option for checking CRL
Previous by thread: Bug#485943: apt-get dist-upgrade wants to install recommends of installed packages
Next by thread: Bug#485963: APT https method has no option for checking CRL
Index(es):
- Date
- Thread