apt will not use configured client certificate when redirected from http url to https

Bug #1217741 reported by Esko Järnfors on 2013-08-28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
apt (Ubuntu)

Bug Description

We have a web server that has our internal package repository. The server is configured so that it will communicate via port 80 with clients in internal network, which basically makes it possible for the clients to get packages during OS installation when they do not yet have a client certificate. The clients outside our network are redirected with a HTTP 302 to the same url with https transport and the https server requires the client to authenticate with a client certificate. We have configured apt like this (obviously with real paths and server name):

Acquire::https::our-server.our-domain {
  Verify-Peer "true";
  Verify-Host "true";

  CaInfo "/path/to/ca/cert.pem";
  SslCert "/path/to/client/cert.pem";
  SslKey "/path/to/client/key.pem";

As long as the repository is marked as https://... in /etc/apt/sources.list, these settings are used and everything works right. However, if the repository is marked as http://, and the client is redirected with HTTP 302 to https:// url, the client certificate is not presented properly and downloading files fails.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apt (Ubuntu):
status: New → Confirmed
David Kalnischkies (donkult) wrote :

The code doesn't allow switching protocols with a redirect so far, so its not a bug as such, but a missing feature.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers