Bug#994032: switch from https to http transport for certain proxies
Control: tag -1 wontfix
On Fri, Sep 10, 2021 at 11:12:04AM +0200, Eduard Bloch wrote:
> Package: apt
> Version: 2.3.9
> Severity: wishlist
>
> Hi,
>
> as of now, there are certain HTTPS protocol schemes used in apt in
> conjunction with proxies.
> a) for http, the requests are used with GET and plain URL over http transport
> b) for https, CONNECT establishes a tunnel and then plain http over TLS
> stream is used
>
> What we don't have is option c) the user might trust his proxy and
> want requests to be made in plain text (GET) but with https:// schema,
> and the proxy gets the responsibility for HTTPS communication and
> delivery of the content as plain HTTP response.
>
> This should be configurable through some options. Some idea from mstone
> and me in the recent debian-devel thread about #992692:
>
> > If we're imagining apt options, something like
> > Acquire::https::Force-Proxy-HTTP true;
> > would probably be more useful for this specific case (not that I think it's
> > a great idea--too much potential for surprise).
>
> I would make it a list of trusted hosts and a special value ALL.
This is a NAK from my side. https sources should always be accessed
over https, anything else is a potential security issue (you might
forget you have that setting).
This issue is better addresses by having the proxy transparently
reencrypt the HTTPS connections, and users configuring the
certificate(s) the proxy uses for MitM as trusted. This allows
more control, and substantially reduces the risk for mistakes.
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
Reply to: