Ubuntu
apt package

apt will not use configured client certificate when redirected from http url to https

Bug #1217741 reported by Esko Järnfors
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

We have a web server that has our internal package repository. The server is configured so that it will communicate via port 80 with clients in internal network, which basically makes it possible for the clients to get packages during OS installation when they do not yet have a client certificate. The clients outside our network are redirected with a HTTP 302 to the same url with https transport and the https server requires the client to authenticate with a client certificate. We have configured apt like this (obviously with real paths and server name):

/etc/apt/apt.conf.d/45our-server:
-------
Acquire::https::our-server.our-domain {
  Verify-Peer "true";
  Verify-Host "true";

  CaInfo "/path/to/ca/cert.pem";
  SslCert "/path/to/client/cert.pem";
  SslKey "/path/to/client/key.pem";
};
-------

As long as the repository is marked as https://... in /etc/apt/sources.list, these settings are used and everything works right. However, if the repository is marked as http://, and the client is redirected with HTTP 302 to https:// url, the client certificate is not presented properly and downloading files fails.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
Revision history for this message
David Kalnischkies (donkult) wrote :

The code doesn't allow switching protocols with a redirect so far, so its not a bug as such, but a missing feature.
https://bazaar.launchpad.net/~ubuntu-core-dev/apt/ubuntu/view/head:/methods/http.cc#L993

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.