Making SSL connections with Curl

Curl has built-in support for Secure Transport connections (its more secure version is called TLS). When you make a Curl request for an HTTPS URL, Curl automatically checks the target URL's SSL certificate against the local CA certificate store and warns if it is invalid, self-signed, or has expired. This is great for production websites but awkward for development. To bypass SSL certificate checks, you can use the -k or --insecure Curl command-line options. Click Run to execute the Curl SSL Request example online and see the results.
Making SSL connections with Curl Run
curl -k https://expired.badssl.com
Updated: Viewed: 23474 times

What is Curl?

Curl (stands for Client URL) is an open-source command-line tool and a cross-platform library (libcurl) developers use for client/server communications. Curl allows you to send data to the server by sending the target URL and the data as command-line parameters. Curl supports over 25 protocols, including HTTP and HTTPS, works on Linux, Windows, and macOS, and can be easily integrated into C++, Java, Python, PHP, Go, etc., applications.

What is SSL?

SSL (stands for Secure Sockets Layer) is a network protocol for establishing secure, authenticated, and encrypted connections between two computers. SSL is the forerunner of the more modern TLS encryption in use today. Netscape first developed SSL in 1995 to provide confidentiality, authentication, and data integrity in Internet communications. A website that implements SSL/TLS support has the HTTPS prefix in the URL. SSL protects the user's privacy while browsing the Internet by encrypting all data that goes to or from the user's computer and web server. The SSL ensures that anyone who intercepts the data in your network can only see the encrypted characters.

What is TLS?

TLS (short for Transport Layer Security), released in 1999, is the successor to SSL for authentication and encryption. TLS is a cryptographic protocol used to provide better security for communication over the network. TLS is mainly used to encrypt communication between web and mobile applications and the webserver.

What is an SSL Certificate?

SSL certificates allow browsers and servers to be more secure by encrypting all inbound and outbound traffic. An SSL certificate is hosted on the origin server and is a data file containing a public security key to encrypt the network traffic and identify a website. When the browser (or any other HTTPS client) tries to contact the origin server, it will reference this SSL certificate file to obtain the server's public key and verify its identity. Libcurl performs peer SSL certificate validation right out of the box using the built-in CA certificate store that comes with your Curl installation.

How to ignore SSL certificate errors using Curl?

SSL certificates provide high security and data protection when browsing the Internet but sometimes get in the way of local development when working with localhost or development servers because developers usually do not have valid certificates for these local servers or are self-signed. To force Curl to bypass SSL certificate validation for local development servers, you can pass the -k or --insecure option to the Curl command. This option explicitly tells Curl to perform “insecure” SSL connections and file transfers. Curl will ignore all security warnings for invalid certificates and accept them as valid.

Curl syntax for disabling certificate validation
curl -k [URL] [URL]
curl --insecure [options] [URL]

How use a self-signed certificate with Curl?

Following these steps should help you:

  1. Download and save the self-signed certificate.
  2. Tell the Curl client about it with --cacert [file] command-line switch. This parameter tells the Curl to use the specified certificate file to verify the peer. The [file] may contain multiple CA certificates and must be in PEM format.

What is difference between --cacert and --cert options?

The --cacert [file] option tells Curl to use the specified certificate file for peer verification. The file can contain multiple CA certificates and must be in PEM format. The --cert [file] option tells Curl to use the specified client certificate file when sending a request to the server. The client certificate must be in PKCS#12 format when using Secure Transport or PEM format when using any other method.

Using client certificate with Curl

The client certificate is passed by Curl to the server as part of the TLS handshake, and the server validates the certificate during the handshake.

Send client certificate with Curl
curl --cert certificate.pem https://reqbin.com/echo

How to use SSL certificates with passwords?

You can pass the certificate password in --cert command-line option after the certificate file name in the followinf format: --cert [file]:[password]

Curl SSL certificate passwords
curl https://reqbin.com/echo
   --cert certificate.pem:mypassword

See also

Generate Code Snippets for Curl SSL Request Example

Convert your Curl SSL Request request to the PHP, JavaScript/AJAX, Node.js, Curl/Bash, Python, Java, C#/.NET code snippets using the ReqBin code generator.

// try get IpInfo ASAP! getIpInfo($.noop);