How to Force TLS 1.2 or Higher in Curl

This article explains how to use the curl command-line tool to enforce secure connections using TLS 1.2 or higher. You will learn the specific command-line flags required to restrict older, insecure SSL/TLS protocols and ensure your data transfers comply with modern security standards.

To enforce the use of TLS 1.2 or a higher version when making a request with curl, use the --tlsv1.2 option.

The Command

Run the following command in your terminal:

curl --tlsv1.2 https://example.com

How It Works

• --tlsv1.2: This flag tells curl to set the minimum acceptable protocol version to TLS 1.2. Curl will attempt to negotiate a connection using TLS 1.2 or TLS 1.3 (if available), but it will refuse to connect using older, insecure protocols like TLS 1.0, TLS 1.1, or any version of SSL.

Verifying the TLS Version

To verify that the connection is successfully using TLS 1.2 or higher, you can add the -v (verbose) flag to your command:

curl -v --tlsv1.2 https://example.com

In the terminal output, look for the SSL handshake lines, which will confirm the negotiated version:

* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384

Enforcing TLS 1.3 Only

If you want to restrict the connection strictly to TLS 1.3 (and disallow TLS 1.2), use the --tlsv1.3 flag instead:

curl --tlsv1.3 https://example.com