SSL (otherwise known as TLS) certificates are the cornerstone of internet security, allowing us to perform our daily internet operations without the fear of security breaches. However, in some instances, you may want to bypass it.
Read this blog post to learn about those situations and how to bypass TLS and SSL with curl.
cURL is a command-line tool and library for transferring data with URLs. It supports various protocols, including HTTP, HTTPS, FTP, and more. The official website boasts over twenty billion installations and a wide range of uses, including television sets, medical devices, cars, programming, to name a few. You might have also noticed curl in API documentation across the web (or our documentation, for that matter).
While these terms are often confused online, the creators reserve cURL for the whole project, which encompasses the command-line tool (curl) and library (libcurl). However, Curl (emphasis on the capital C) is a programming language – an entirely different thing not associated with the cURL project. In this article, we’re referring to the command-line tool, hence curl.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols for securing communication over a computer network. You might already see the connection here. If curl is used to transfer data, it’s SSL that secures this transfer. Indeed, curl performs SSL certificate validation by default.
SSL protection is essential for internet security. You want for it to be there, protecting you from potential internet hazards. However, there still are valid reasons why developers might want to bypass SSL/TLS certificate verification:
Development and testing: During the development phase, developers might use self-signed certificates or work in environments where SSL certificates are not yet configured.
Debugging: Bypassing SSL can be useful for troubleshooting connection issues or diagnosing problems related to SSL certificates.
Legacy Systems: Some older systems or APIs might use outdated SSL certificates, necessitating temporary workarounds.
Despite the fact that it’s done for testing and development purposes, there are security risks involved in ignoring SSL certificates. These can include man-in-the-middle attacks, data breaches, or losing user trust. To avoid the consequences of invalid certificates, ensure that you ignore SSL verification in production environments only and as a temporary measure.
If you send a curl GET request to a website with invalid SSL certificates, you should receive the following error message:
curl https://expired.badssl.com/
curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
The simplest way to ignore SSL certificate errors is by passing –k curl command:
curl -k https://expired.badssl.com/
Or – –insecure:
curl --insecure https://expired.badssl.com/
This method will allow you to bypass SSL verification and make an “insecure” connection.
But what if you want to ignore SSL system-wide? For instance, if you're using curl with Python. You obviously would not want to go through all the instances where requests are passed. There are some alternative methods.
Creating a curl configuration file ~/.curlrc and adding insecure to it will do the trick. This will disable SSL verification system-wise until you want to turn it back on.
In this guide, we've explored the relationship between cURL and SSL/TLS, discussed scenarios when ignoring SSL certificates is beneficial, and highlighted the security implications of doing so. By following the steps outlined, you can bypass SSL certificate verification in curl, but with great caution.
If you'd like to learn more about curl or SSL, read the following blog posts on what an SSL proxy, curl POST requests, or curl headers are. You can also check our cURL converter solution, an easy-to-use tool for transforming cURL commands into your preferred programming languages.
Yes, you can. We recommend checking out our blog post on using curl with proxies to learn how to do that.
About the author
Enrika Pavlovskytė
Former Copywriter
Enrika Pavlovskytė was a Copywriter at Oxylabs. With a background in digital heritage research, she became increasingly fascinated with innovative technologies and started transitioning into the tech world. On her days off, you might find her camping in the wilderness and, perhaps, trying to befriend a fox! Even so, she would never pass up a chance to binge-watch old horror movies on the couch.
All information on Oxylabs Blog is provided on an "as is" basis and for informational purposes only. We make no representation and disclaim all liability with respect to your use of any information contained on Oxylabs Blog or any third-party websites that may be linked therein. Before engaging in scraping activities of any kind you should consult your legal advisors and carefully read the particular website's terms of service or receive a scraping license.
Get the latest news from data gathering world
Scale up your business with Oxylabs®