Force Curl to Use Specific TLS Version
This article explains how to force the curl command-line
tool to connect to a server using a specific SSL or TLS version. You
will learn the exact flags required to restrict your connections to
secure protocols like TLS 1.2 or TLS 1.3, which is essential for
troubleshooting handshake issues and meeting strict security compliance
standards.
By default, curl negotiates the highest mutually
supported TLS version with the destination server. However, you can
override this behavior by using specific command-line switches.
Forcing Specific TLS Versions
To force curl to use a specific TLS version, append one
of the following protocol flags to your command:
Force TLS 1.3:
curl --tlsv1.3 https://example.comForce TLS 1.2:
curl --tlsv1.2 https://example.comForce TLS 1.1:
curl --tlsv1.1 https://example.comForce TLS 1.0:
curl --tlsv1.0 https://example.com
Forcing Older SSL Versions (Deprecated)
Modern systems generally disable older SSL protocols due to security
vulnerabilities, but they can still be forced if your local
curl installation and OpenSSL library support them:
Force SSLv3:
curl -3 https://example.com(Alternatively, use
--sslv3)Force SSLv2:
curl -2 https://example.com(Alternatively, use
--sslv2)
Setting a Minimum TLS Version
If you do not want to lock connection attempts to a single version,
but instead want to define a minimum acceptable version, use the
--tlsv1 flag followed by the version modifiers:
Require TLS 1.2 or higher:
curl --tlsv1.2 --tls-max 1.3 https://example.com
Verifying the Active Connection Protocol
To verify which TLS version was actually negotiated during the
handshake, run the command with the verbose flag (-v or
--verbose):
curl -v --tlsv1.3 https://example.comIn the output, look for the line indicating the SSL connection details, which will look similar to this:
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384