Curl Expired SSL Certificate Error Explained

When you use curl to connect to an HTTPS website with an expired SSL/TLS certificate, the transfer tool will automatically terminate the connection and refuse to exchange data. This article explains the specific error messages and exit codes curl generates during this event, the security reasons behind this default behavior, and how you can temporarily bypass this restriction for testing purposes.

The Default Behavior: Connection Refusal

By default, curl prioritizes security and strictly enforces SSL/TLS verification. During the secure handshake process, curl checks the validity period of the target server’s SSL certificate. If the current system time is past the certificate’s “Not After” expiration date, curl immediately aborts the connection before sending any sensitive data, such as HTTP request headers or request bodies.

Error Messages and Exit Codes

When curl blocks a connection due to an expired certificate, it outputs a specific error message to the console and returns a non-zero exit status.

• The Error Message: The exact wording depends on the underlying SSL library curl is compiled with (such as OpenSSL, NSS, or Secure Transport), but it typically looks like this:

  curl: (60) SSL certificate problem: certificate has expired

  or

  curl: (60) SSL certificate problem: certificate is not yet valid

• The Exit Code: curl will exit with status code 60 (often documented as CURLE_PEER_FAILED_VERIFICATION). In older versions of curl, this may occasionally register as exit code 35 (CURLE_SSL_CONNECT_ERROR).

Why Curl Blocks Expired Certificates

Certificates have expiration dates to limit the window of opportunity for abused or compromised keys. If a certificate expires, it means the identity of the site can no longer be cryptographically guaranteed by a trusted Certificate Authority (CA). Allowing a connection to an expired certificate leaves you vulnerable to Man-in-the-Middle (MitM) attacks, where an attacker could intercept or alter your traffic.

How to Bypass the Error (Development Only)

If you are developing or testing in a local environment and must connect to a server with an expired certificate, you can instruct curl to ignore the validation check.

Using the -k or --insecure Flag

The most common way to bypass the validation is by adding the -k (or --insecure) flag to your command:

curl -k https://expired.badssl.com/

This flag tells curl to proceed with the connection anyway. It still encrypts the transmission, but it skips the verification of the certificate’s validity and chain of trust.

Warning: Never use the -k flag in production environments or scripts, as it disables essential security protections.