How to Ignore SSL Certificate With cURL

SSL (otherwise known as TLS) certificates are the cornerstone of internet security, allowing us to perform our daily internet operations without the fear of security breaches. However, in some instances, you may want to bypass it.

Read this blog post to learn about those situations and how to bypass TLS and SSL with curl.

What is cURL and SSL?

cURL is a command-line tool and library for transferring data with URLs. It supports various protocols, including HTTP, HTTPS, FTP, and more. The official website boasts over twenty billion installations and a wide range of uses, including television sets, medical devices, cars, programming, to name a few. You might have also noticed curl in API documentation across the web (or our documentation, for that matter).

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are protocols for securing communication over a computer network. You might already see the connection here. If curl is used to transfer data, it’s SSL that secures this transfer. Indeed, curl performs SSL certificate validation by default. 

Why would you want to disable SSL?

SSL protection is essential for internet security. You want for it to be there, protecting you from potential internet hazards. However, there still are valid reasons why developers might want to bypass SSL/TLS certificate verification:

• Development and testing: During the development phase, developers might use self-signed certificates or work in environments where SSL certificates are not yet configured.

• Debugging: Bypassing SSL can be useful for troubleshooting connection issues or diagnosing problems related to SSL certificates.

• Legacy Systems: Some older systems or APIs might use outdated SSL certificates, necessitating temporary workarounds.

Security implications

Despite the fact that it’s done for testing and development purposes, there are security risks involved in ignoring SSL certificates. These can include man-in-the-middle attacks, data breaches, or losing user trust. To avoid the consequences of invalid certificates, ensure that you ignore SSL verification in production environments only and as a temporary measure. 

How to ignore SSL errors with curl?

If you send a curl GET request to a website with invalid SSL certificates, you should receive the following error message:

curl https://expired.badssl.com/

curl: (60) SSL certificate problem: certificate has expired
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

The simplest way to ignore SSL certificate errors is by passing –k curl command:

curl -k https://expired.badssl.com/

Or  – –insecure:

curl --insecure https://expired.badssl.com/

This method will allow you to bypass SSL verification and make an “insecure” connection.

Ignoring SSL in the script

But what if you want to ignore SSL system-wide? For instance, if you're using curl with Python. You obviously would not want to go through all the instances where requests are passed. There are some alternative methods.

Creating a curl configuration file ~/.curlrc  and adding insecure to it will do the trick. This will disable SSL verification system-wise until you want to turn it back on.

Conclusion

In this guide, we've explored the relationship between cURL and SSL/TLS, discussed scenarios when ignoring SSL certificates is beneficial, and highlighted the security implications of doing so. By following the steps outlined, you can bypass SSL certificate verification in curl, but with great caution.

If you'd like to learn more about curl or SSL, read the following blog posts on what an SSL proxy, curl POST requests, or curl headers are. You can also check our cURL converter solution, an easy-to-use tool for transforming cURL commands into your preferred programming languages.