curl / Mailing Lists / curl-users / Single Mail


How to enforce a given TLS version with curl?

From: M K Saravanan <>
Date: Tue, 18 Dec 2018 22:35:42 +0800


If I want to use only TLSv1.2 with curl, how to enforce it? (for
testing purpose)

I thought I can use "--tlsv1.2" option based on curl help.

$ curl --version
curl 7.58.0 (x86_64-pc-linux-gnu) libcurl/7.58.0 OpenSSL/1.1.1
zlib/1.2.11 libidn2/2.0.4 libpsl/0.19.1 (+libidn2/2.0.4)
nghttp2/1.30.0 librtmp/2.3
Release-Date: 2018-01-24
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps
pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM
NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL

$ curl -h | sed -ne '/--tlsv/p'
 -1, --tlsv1 Use TLSv1.0 or greater
     --tlsv1.0 Use TLSv1.0
     --tlsv1.1 Use TLSv1.1
     --tlsv1.2 Use TLSv1.2
     --tlsv1.3 Use TLSv1.3

But the "Everything Curl" books says:

--sslv2 SSL version 2
--sslv3 SSL version 3
--tlsv1 TLS >= version 1.0
--tlsv1.0 TLS >= version 1.0
--tlsv1.1 TLS >= version 1.1
--tlsv1.2 TLS >= version 1.2
--tlsv1.3 TLS >= version 1.3

When I use the option --tlsv1.2 with a server that supports both
TLSv1.2 and TLSv1.3, it is automatically selecting TLSv1.3.

So looks like the everything curl book is correct.

If I want to enforce a particular TLS version, how to do that?

with regards,
Received on 2018-12-18