I have a situation where the client makes a call through curl to a https url. The SSL certificate of the https url is self signed and therefore curl cannot do certificate validation and fails. curl provides an option -k/--insecure
which disables certificate validation.
My question is that on using --insecure
option, is the data transfer that is done between client and server encrypted(as it should be for https urls)? I understand the security risk because of certificate validation not being done, but for this question I am only concerned about whether data transfer is encrypted or not.
You need to pass the -k or --insecure option to the curl command. This option explicitly allows curl to perform “insecure” SSL connections and transfers. All SSL connections are attempted to be made secure by using the CA certificate bundle installed by default.
1a : deficient in assurance : beset by fear and anxiety always felt insecure in a group of strangers. b : not highly stable or well-adjusted an insecure marriage. 2 : not confident or sure : uncertain feeling somewhat insecure of his reception. 3 : not adequately guarded or sustained : unsafe an insecure investment.
and it validated OK, so curl can definitely handle a self-signed CA. use it with the --cacert flag. You can then use certs.
In this case, curl is making a GET request and returns the page source without any error because the server uses Trusted CA Signed SSL Certificates. This means that the server is using a certificate that was signed by a trusted authority.
Yes, the transfered data is still sent encrypted. -k
/--insecure
will "only make" curl
skip certificate validation, it will not turn off SSL all together.
More information regarding the matter is available under the following link:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With