Skip to main content

Debian 11 apt HTTPS upgrade

Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as CVE-2019-3462, CVE-2016-1252 and CVE-2014-6273 in the past.

This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.

Virtual Machine

The commands simply change the URL scheme from http to https, making a backup file (with extension .orig) in the process.

AWS User Data

#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(cdn-aws.)*(deb|security).debian.org%https://\2.debian.org%g' /etc/apt/sources.list

GCP Startup Script

#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list
sed --in-place=.orig --regexp-extended 's%http://packages.cloud.google.com%https://packages.cloud.google.com%g' /etc/apt/sources.list.d/*.list

Container

Dockerfile

FROM debian:11-slim

RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
    sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list && \
    apt-get update && \
    apt-get install --assume-yes ca-certificates && \
    rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf

These commands first turn off SSL certificate verification because (a) the container build process may be behind DiscrimiNAT already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. DiscrimiNAT independently verifies each connection and will ensure apt connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.

Allowlist

FQDNs

deb.debian.org,security.debian.org,packages.cloud.google.com

DiscrimiNAT Annotation

discriminat:tls:deb.debian.org,security.debian.org,packages.cloud.google.com