[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#990555: marked as done (When using an HTTPS proxy for HTTP repositories, APT ignores CaInfo (and possibly other Acquire::https options))

Your message dated Mon, 18 Oct 2021 14:48:28 +0000
with message-id <E1mcTwC-000A4h-6M@fasolo.debian.org>
and subject line Bug#990555: fixed in apt 2.3.10
has caused the Debian Bug report #990555,
regarding When using an HTTPS proxy for HTTP repositories, APT ignores CaInfo (and possibly other Acquire::https options)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
990555: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990555
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 1.8.2.3

When using an HTTPS proxy for plain-HTTP repositories, it seems that CaInfo is ignored.

Typically:

apt-get -o Acquire::https::CaInfo=/cafile.crt -o Acquire::http::Proxy="https://apt-cache.local" update

will fail with:

  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification.

I did verify that my certificate and configuration are valid, in two different ways:

1. if I add my certificate into /etc/ssl/certs, things will work as expected

2. when accessing the proxy as if it was a repository itself, directly, using -o Acquire::https::CaInfo works as expected


My intuition is that because the repository is plain http, apt drops out any Acquire::https configuration before attempting to connect to the proxy.

To validate that, I tried to add on a hunch:

-o Acquire::http::CaInfo=/cafile

... it makes it work... though this doesn't seem to be documented (and does not make much sense?).

What are your thoughts?

Thanks.

--- End Message ---
--- Begin Message --- 
Source: apt
Source-Version: 2.3.10
Done: Julian Andres Klode <jak@debian.org>

We believe that the bug you reported is fixed in the latest version of
apt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 990555@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Julian Andres Klode <jak@debian.org> (supplier of updated apt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Oct 2021 16:35:21 +0200
Source: apt
Architecture: source
Version: 2.3.10
Distribution: unstable
Urgency: medium
Maintainer: APT Development Team <deity@lists.debian.org>
Changed-By: Julian Andres Klode <jak@debian.org>
Closes: 989558 990281 990555
Changes:
 apt (2.3.10) unstable; urgency=medium
 .
   [ Julian Andres Klode ]
   * basehttp: Turn HaveContent into a TriState
   * Set haveContent to FALSE on `Content-Length: 0` (Closes: #990281)
   * Add support for embedding PGP keys into Signed-By in deb822 sources
 .
   [ David Kalnischkies ]
   * All pkgCaches are MultiArch caches
   * Do not strip M-A for native build-dep resolution
   * Do not make provides of M-A:allowed implicit M-A:foreign
   * Barbarian M-A:allowed don't satisfy :any deps of other archs
   * Streamline access to barbarian architecture functionality
   * Read and work with canonical file-URIs from sources.lists
   * Use https config on https proxies for http servers (Closes: #990555)
   * Add AllowRange option to disable HTTP Range usage
   * Disable HTTP Range usage if varnish < 6.4 is involved
   * Use exact If-Range match in our test webserver
 .
   [ Johannes Schauer Marin Rodrigues ]
   * add pattern to select packages by priority (closes: #989558)
Checksums-Sha1:
 ff394f947012a3cbdb48cf300e984217ec6dab95 2801 apt_2.3.10.dsc
 c8f4eb4bc07561c0b3cde3ab545a66755196ae82 2210032 apt_2.3.10.tar.xz
 28b58837dfa8ae367c501638fa1e50c088926f0d 7439 apt_2.3.10_source.buildinfo
Checksums-Sha256:
 2e9d0653225719d65892256b823e251c855100e83e6231b2bd4977e7dd6f7b45 2801 apt_2.3.10.dsc
 145c02b998c52b11a49d2cf845c7d4fd85201c4c182c3779502c8e05602d4935 2210032 apt_2.3.10.tar.xz
 4c917abf7cc58d2af7503f0d320c08da085ddad552a573e9abd22f57ba15ceba 7439 apt_2.3.10_source.buildinfo
Files:
 dfc5280a1f8c03fa606227c2c7cdff01 2801 admin important apt_2.3.10.dsc
 48357ffef0f3adfb29fba983438bfea0 2210032 admin important apt_2.3.10.tar.xz
 33b32eb7d1221f9438c63b55ead4fd35 7439 admin important apt_2.3.10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJDBAEBCgAtFiEET7WIqEwt3nmnTHeHb6RY3R2wP3EFAmFthrcPHGpha0BkZWJp
YW4ub3JnAAoJEG+kWN0dsD9xCJAQAKSW3p0q+vo4yXcafD9ruxDUeS1o0OeruYd6
7mSZM413cjsXP2SgInG/QKX1Q6g2vd/t11/AQ9y6tM3L3Vc5hCB46VXa3vofTy/X
NE7bPi+ISr06TjzgkWtpADC+cfAaeW35C2wFGFqx4kv9OTExJyWH0tl1kHZVNZ5I
j5+9m+rDlLsaLW/6YPme1aVkwyfhVmjpazROzVH6IptxqGvsTVl4YIkEZypwW7F6
v3B6NfLvSzm1fPrvjQsNiTRnfZ23tiTyu0INTSROkGtl7kAEHE98d3qjmKnvYPfc
K8aG0rxKBBs5d/2MLF0HF5ns+0FWFQMYTCy+9jwP+C1ftGLvvg891BTzwLbaTp0E
nab3DW2ezXWQEuoQdj75jddGPRGoplKFPZMsHc0P2yHsWJYPRpoA8ncZtpJMkOEM
JeMa97TmV/u9IbSC5yjI8yOBW61DmQujbLC2TnCyIDGY8+F9ZzPPBdAtdFP1wEk3
E7qH6oWhMDjpZg+PXEKpL3KeUrYvjE5jnO8/F2t/MW76vI5x4RsSAcfRMWyPr/iJ
0QudPCiF694+IIUUnX1kxnmVGlzPHCRCMMWcqM0gaB/cZth8KqcUlCFM26aKuxms
MKRAMjCvMaSxsSuu2B7g7/NpfFn2rVT8lmwXg1Wmgtd0b7BasyUsSo9C0UGRnDbW
BVTRhwLc
=OWNc
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: