Debian 11 apt HTTPS upgrade
Upgrading package downloads from HTTP to HTTPS can help with meeting standards such as PCI DSS and NIST SP 800-53. Use of secure transport can also mitigate against future zero-day, remote code vulnerabilities with package managers themselves, such as CVE-2019-3462, CVE-2016-1252 and CVE-2014-6273 in the past.
This short guide aims to help in upgrading the default repositories' URLs from plaintext to encrypted.
Virtual Machine
The commands simply change the URL scheme from http
to https
, making a backup file (with extension .orig) in the process.
AWS User Data
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(cdn-aws.)*(deb|security).debian.org%https://\2.debian.org%g' /etc/apt/sources.list
GCP Startup Script
#!/bin/bash -ex
sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list
sed --in-place=.orig --regexp-extended 's%http://packages.cloud.google.com%https://packages.cloud.google.com%g' /etc/apt/sources.list.d/*.list
Container
Dockerfile
FROM debian:11-slim
RUN echo 'Acquire::https::Verify-Peer "false";' > /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf && \
sed --in-place=.orig --regexp-extended 's%http://(deb|security).debian.org%https://\1.debian.org%g' /etc/apt/sources.list && \
apt-get update && \
apt-get install --assume-yes ca-certificates && \
rm /etc/apt/apt.conf.d/99_tmp_ssl-verify-off.conf
These commands first turn off SSL certificate verification because (a) the container build process may be behind DiscrimiNAT already and (b) the CA certificates bundle needs to be downloaded for the verification process to work. DiscrimiNAT independently verifies each connection and will ensure apt connected to the CDN specified in spite of not verifying the certificate. The configuration that turned the verification off is removed after the bundle is installed.
Allowlist
FQDNs
deb.debian.org,security.debian.org,packages.cloud.google.com
DiscrimiNAT Annotation
discriminat:tls:deb.debian.org,security.debian.org,packages.cloud.google.com