1APT-TRANSPORT-HTTP(1) APT APT-TRANSPORT-HTTP(1)
2
3
4
6 apt-transport-https - APT transport for downloading via the HTTP Secure
7 protocol (HTTPS)
8
10 This APT transport allows the use of repositories accessed via the HTTP
11 Secure protocol (HTTPS), also referred to as HTTP over TLS. It is
12 available by default since apt 1.5 and was available before that in the
13 package apt-transport-https. Note that a transport is never called
14 directly by a user but used by APT tools based on user configuration.
15
16 HTTP is by itself an unencrypted transport protocol (compare apt-
17 transport-http(1)), which, as indicated by the appended S, is wrapped
18 in an encrypted layer known as Transport Layer Security (TLS) to
19 provide end-to-end encryption. A sufficiently capable attacker can
20 still observe the communication partners and deeper analysis of the
21 encrypted communication might still reveal important details. An
22 overview over available alternative transport methods is given in
23 sources.list(5).
24
26 The HTTPS protocol is based on the HTTP protocol, so all options
27 supported by apt-transport-http(1) are also available via
28 Acquire::https and will default to the same values specified for
29 Acquire::http. This manpage will only document the options unique to
30 https.
31
32 Server credentials
33 By default all certificates trusted by the system (see ca-certificates
34 package) are used for the verification of the server certificate. An
35 alternative certificate authority (CA) can be configured with the
36 Acquire::https::CAInfo option and its host-specific option
37 Acquire::https::CAInfo::host. The CAInfo option specifies a file made
38 up of CA certificates (in PEM format) concatenated together to create
39 the chain which APT should use to verify the path from your self-signed
40 root certificate. If the remote server provides the whole chain during
41 the exchange, the file need only contain the root certificate.
42 Otherwise, the whole chain is required. If you need to support multiple
43 authorities, the only way is to concatenate everything.
44
45 A custom certificate revocation list (CRL) can be configured with the
46 options Acquire::https::CRLFile and Acquire::https::CRLFile::host. As
47 with the previous option, a file in PEM format needs to be specified.
48
49 Disabling security
50 During server authentication, if certificate verification fails for
51 some reason (expired, revoked, man in the middle, etc.), the connection
52 fails. This is obviously what you want in all cases and what the
53 default value (true) of the option Acquire::https::Verify-Peer and its
54 host-specific variant provides. If you know exactly what you are doing,
55 setting this option to "false" allows you to skip peer certificate
56 verification and make the exchange succeed. Again, this option is for
57 debugging or testing purposes only as it removes all security provided
58 by the use of HTTPS.
59
60 Similarly the option Acquire::https::Verify-Host and its host-specific
61 variant can be used to deactivate a security feature: The certificate
62 provided by the server includes the identity of the server which should
63 match the DNS name used to access it. By default, as requested by RFC
64 2818, the name of the mirror is checked against the identity found in
65 the certificate. This default behavior is safe and should not be
66 changed, but if you know that the server you are using has a DNS name
67 which does not match the identity in its certificate, you can set the
68 option to "false", which will prevent the comparison from being
69 performed.
70
71 Client authentication
72 Besides supporting password-based authentication (see apt_auth.conf(5))
73 HTTPS also supports authentication based on client certificates via
74 Acquire::https::SSLCert and Acquire::https::SSLKey. These should be set
75 respectively to the filename of the X.509 client certificate and the
76 associated (unencrypted) private key, both in PEM format. In practice
77 the use of the host-specific variants of both options is highly
78 recommended.
79
81 Acquire::https {
82 Proxy::example.org "DIRECT";
83 Proxy "socks5h://apt:pass@127.0.0.1:9050";
84 Proxy-Auto-Detect "/usr/local/bin/apt-https-proxy-auto-detect";
85 No-Cache "true";
86 Max-Age "3600";
87 No-Store "true";
88 Timeout "10";
89 Dl-Limit "42";
90 Pipeline-Depth "0";
91 AllowRedirect "false";
92 User-Agent "My APT-HTTPS";
93 SendAccept "false";
94
95 CAInfo "/path/to/ca/certs.pem";
96 CRLFile "/path/to/all/crl.pem";
97 Verify-Peer "true";
98 Verify-Host::broken.example.org "false";
99 SSLCert::example.org "/path/to/client/cert.pem";
100 SSLKey::example.org "/path/to/client/key.pem"
101 };
102
104 apt-transport-http(1) apt.conf(5) apt_auth.conf(5) sources.list(5)
105
107 APT bug page[1]. If you wish to report a bug in APT, please see
108 /usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.
109
111 APT team
112
114 1. APT bug page
115 http://bugs.debian.org/src:apt
116
117
118
119APT 2.4.5 11 May 2018 APT-TRANSPORT-HTTP(1)