curl / Mailing Lists / curl-users / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

[Feature Suggestion] Selectively ignore TLS errors

From: Ryan via curl-users <>
Date: Tue, 2 Feb 2021 09:59:00 -0800

Hey everyone. This is my first contribution here, please be gentle.

I ran into a situation today where I needed to curl against a web service,
outside my control, with an expired SSL certificate. Using curl -k works,
but is very heavy handed.

This ball gets dropped here and there in production environments. Allowing
curl to handle this situation gracefully would allow much cleaner emergency
interim responses that still preserve most of the security guarantees of
the model.

I examined wget and openssl s_client, and as far as I can tell, neither of
them offers an option like this.

Suggestions about how to implement it:

1. --disregard-tls-errors N[,...] to ignore specific TLS subsystem errors
by ID. Error 557 is "certificate expired", but there may be others it
makes sense to ignore as well, and you could specify a comma separated list
to ignore more than one.

2. --tls-expiry-grace-period T to implement a grace period. It's special
purpose to this one type of error, but more powerful than the general
solution above: you could specify an interval, and it would consider the
certificate valid as long as you were less than that interval past the
expiration date. This would make it easy to apply a time limited fix,
e.g., --tls-expiry-grace-period 24h, keeping things running while the
certificate gets updated.

3. Maybe there's a better way to do this that I'm not thinking of?

Is this sensible or worth implementing? Thanks.

Received on 2021-02-02