TLS & SSL
Orb uses TLS for all HTTPS connections. This page covers certificate verification, client certificates (mTLS), and related options.
Insecure Mode
Section titled “Insecure Mode”Use -k or --insecure to skip certificate verification:
orb -k https://self-signed.example.comThis is useful for:
- Self-signed certificates
- Development environments
- Testing with invalid certificates
Custom CA Certificate
Section titled “Custom CA Certificate”Use --cacert to specify a custom CA certificate for verification:
orb --cacert /path/to/ca.pem https://internal.example.comThis is useful for:
- Internal PKI / private CAs
- Self-signed root certificates
- Corporate proxies with custom CAs
The CA certificate must be in PEM format.
Client Certificates (mTLS)
Section titled “Client Certificates (mTLS)”For mutual TLS authentication, provide a client certificate:
Combined Certificate and Key
Section titled “Combined Certificate and Key”If your PEM file contains both the certificate and private key:
orb --cert client-combined.pem https://secure.example.comSeparate Certificate and Key
Section titled “Separate Certificate and Key”If they’re in separate files:
orb --cert client.pem --key client-key.pem https://secure.example.comKey Formats
Section titled “Key Formats”Orb supports:
- PEM format (
.pem) - Recommended - The private key can be RSA, ECDSA, or Ed25519
TLS Versions
Section titled “TLS Versions”Orb uses TLS 1.2 and TLS 1.3. The version is automatically negotiated based on server support.
Verbose TLS Information
Section titled “Verbose TLS Information”Use -v to see TLS handshake details:
orb -v https://example.comOutput includes:
* TLS handshake completed* TLS version: TLSv1.3* Cipher: TLS_AES_256_GCM_SHA384* ALPN: h2* Server certificate:* Subject: CN=example.com* Issuer: CN=DigiCert TLS RSA SHA256 2020 CA1* Valid from: Jan 01 00:00:00 2024 GMT* Valid until: Dec 31 23:59:59 2024 GMTCommon TLS Scenarios
Section titled “Common TLS Scenarios”Internal Services with Private CA
Section titled “Internal Services with Private CA”orb --cacert /etc/ssl/internal-ca.pem \ https://internal-api.company.com/healthmTLS Protected API
Section titled “mTLS Protected API”orb --cert client.pem \ --key client-key.pem \ --cacert server-ca.pem \ https://mtls-api.example.com/secureDevelopment with Self-Signed Cert
Section titled “Development with Self-Signed Cert”# Quick testing (insecure)orb -k https://localhost:8443
# Proper way (add your dev CA)orb --cacert dev-ca.pem https://localhost:8443Docker Registry with Custom CA
Section titled “Docker Registry with Custom CA”orb --cacert /etc/docker/certs.d/registry.example.com/ca.crt \ -u admin:password \ https://registry.example.com/v2/_catalog