{
    "mode": "man",
    "parameter": "apt-transport-https",
    "section": "1",
    "url": "https://www.chedong.com/phpMan.php/man/apt-transport-https/1/json",
    "generated": "2026-06-17T13:56:41Z",
    "sections": {
        "NAME": {
            "content": "apt-transport-https - APT transport for downloading via the HTTP Secure protocol (HTTPS)\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "This APT transport allows the use of repositories accessed via the HTTP Secure protocol\n(HTTPS), also referred to as HTTP over TLS. It is available by default since apt 1.5 and was\navailable before that in the package apt-transport-https. Note that a transport is never\ncalled directly by a user but used by APT tools based on user configuration.\n\nHTTP is by itself an unencrypted transport protocol (compare apt-transport-http(1)), which,\nas indicated by the appended S, is wrapped in an encrypted layer known as Transport Layer\nSecurity (TLS) to provide end-to-end encryption. A sufficiently capable attacker can still\nobserve the communication partners and deeper analysis of the encrypted communication might\nstill reveal important details. An overview over available alternative transport methods is\ngiven in sources.list(5).\n",
            "subsections": []
        },
        "OPTIONS": {
            "content": "The HTTPS protocol is based on the HTTP protocol, so all options supported by apt-transport-\nhttp(1) are also available via Acquire::https and will default to the same values specified\nfor Acquire::http. This manpage will only document the options unique to https.\n",
            "subsections": [
                {
                    "name": "Server credentials",
                    "content": "By default all certificates trusted by the system (see ca-certificates package) are used for\nthe verification of the server certificate. An alternative certificate authority (CA) can be\nconfigured with the Acquire::https::CAInfo option and its host-specific option\nAcquire::https::CAInfo::host. The CAInfo option specifies a file made up of CA certificates\n(in PEM format) concatenated together to create the chain which APT should use to verify the\npath from your self-signed root certificate. If the remote server provides the whole chain\nduring the exchange, the file need only contain the root certificate. Otherwise, the whole\nchain is required. If you need to support multiple authorities, the only way is to\nconcatenate everything.\n\nA custom certificate revocation list (CRL) can be configured with the options\nAcquire::https::CRLFile and Acquire::https::CRLFile::host. As with the previous option, a\nfile in PEM format needs to be specified.\n"
                },
                {
                    "name": "Disabling security",
                    "content": "During server authentication, if certificate verification fails for some reason (expired,\nrevoked, man in the middle, etc.), the connection fails. This is obviously what you want in\nall cases and what the default value (true) of the option Acquire::https::Verify-Peer and its\nhost-specific variant provides. If you know exactly what you are doing, setting this option\nto \"false\" allows you to skip peer certificate verification and make the exchange succeed.\nAgain, this option is for debugging or testing purposes only as it removes all security\nprovided by the use of HTTPS.\n\nSimilarly the option Acquire::https::Verify-Host and its host-specific variant can be used to\ndeactivate a security feature: The certificate provided by the server includes the identity\nof the server which should match the DNS name used to access it. By default, as requested by\nRFC 2818, the name of the mirror is checked against the identity found in the certificate.\nThis default behavior is safe and should not be changed, but if you know that the server you\nare using has a DNS name which does not match the identity in its certificate, you can set\nthe option to \"false\", which will prevent the comparison from being performed.\n"
                },
                {
                    "name": "Client authentication",
                    "content": "Besides supporting password-based authentication (see aptauth.conf(5)) HTTPS also supports\nauthentication based on client certificates via Acquire::https::SSLCert and\nAcquire::https::SSLKey. These should be set respectively to the filename of the X.509 client\ncertificate and the associated (unencrypted) private key, both in PEM format. In practice the\nuse of the host-specific variants of both options is highly recommended.\n"
                }
            ]
        },
        "EXAMPLES": {
            "content": "Acquire::https {\nProxy::example.org \"DIRECT\";\nProxy \"socks5h://apt:pass@127.0.0.1:9050\";\nProxy-Auto-Detect \"/usr/local/bin/apt-https-proxy-auto-detect\";\nNo-Cache \"true\";\nMax-Age \"3600\";\nNo-Store \"true\";\nTimeout \"10\";\nDl-Limit \"42\";\nPipeline-Depth \"0\";\nAllowRedirect \"false\";\nUser-Agent \"My APT-HTTPS\";\nSendAccept \"false\";\n\nCAInfo \"/path/to/ca/certs.pem\";\nCRLFile \"/path/to/all/crl.pem\";\nVerify-Peer \"true\";\nVerify-Host::broken.example.org \"false\";\nSSLCert::example.org \"/path/to/client/cert.pem\";\nSSLKey::example.org \"/path/to/client/key.pem\"\n};\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "apt-transport-http(1) apt.conf(5) aptauth.conf(5) sources.list(5)\n",
            "subsections": []
        },
        "BUGS": {
            "content": "APT bug page[1]. If you wish to report a bug in APT, please see\n/usr/share/doc/debian/bug-reporting.txt or the reportbug(1) command.\n",
            "subsections": []
        },
        "AUTHOR": {
            "content": "",
            "subsections": [
                {
                    "name": "APT team",
                    "content": ""
                }
            ]
        },
        "NOTES": {
            "content": "1. APT bug page\nhttp://bugs.debian.org/src:apt\n\n\n\nAPT 2.4.14                                   11 May 2018                       APT-TRANSPORT-HTTP(1)",
            "subsections": []
        }
    },
    "summary": "apt-transport-https - APT transport for downloading via the HTTP Secure protocol (HTTPS)",
    "flags": [],
    "examples": [
        "Acquire::https {",
        "Proxy::example.org \"DIRECT\";",
        "Proxy \"socks5h://apt:pass@127.0.0.1:9050\";",
        "Proxy-Auto-Detect \"/usr/local/bin/apt-https-proxy-auto-detect\";",
        "No-Cache \"true\";",
        "Max-Age \"3600\";",
        "No-Store \"true\";",
        "Timeout \"10\";",
        "Dl-Limit \"42\";",
        "Pipeline-Depth \"0\";",
        "AllowRedirect \"false\";",
        "User-Agent \"My APT-HTTPS\";",
        "SendAccept \"false\";",
        "CAInfo \"/path/to/ca/certs.pem\";",
        "CRLFile \"/path/to/all/crl.pem\";",
        "Verify-Peer \"true\";",
        "Verify-Host::broken.example.org \"false\";",
        "SSLCert::example.org \"/path/to/client/cert.pem\";",
        "SSLKey::example.org \"/path/to/client/key.pem\"",
        "};"
    ],
    "see_also": [
        {
            "name": "apt-transport-http",
            "section": "1",
            "url": "https://www.chedong.com/phpMan.php/man/apt-transport-http/1/json"
        },
        {
            "name": "apt.conf",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/apt.conf/5/json"
        },
        {
            "name": "aptauth.conf",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/aptauth.conf/5/json"
        },
        {
            "name": "sources.list",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/sources.list/5/json"
        }
    ]
}