How to Specify SSL/TLS Ciphers in Curl

This article explains how to specify and restrict the SSL/TLS cipher suites used by the curl command-line tool during a secure connection. You will learn the specific command-line flags required for different TLS versions, how to format cipher lists, and how to verify which ciphers are supported by your local SSL backend.

Using the --ciphers Flag for TLS 1.2 and Older

For connections using TLS 1.2 and earlier protocols, you can specify the allowed cipher suites using the --ciphers option. This option accepts a list of ciphers separated by colons, commas, or spaces, depending on the underlying SSL library your version of curl is built with (usually OpenSSL, GnuTLS, or Schannel).

To force curl to use a specific TLS 1.2 cipher suite, use the following syntax:

curl --ciphers ECDHE-ECDSA-AES128-GCM-SHA256 https://example.com

To provide a preference list of multiple ciphers, separate them with colons (for OpenSSL):

curl --ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256 https://example.com

Using the --tls13-ciphers Flag for TLS 1.3

TLS 1.3 handles cipher suite negotiation differently than previous versions. Because of this, curl utilizes a separate flag, --tls13-ciphers, to control TLS 1.3 connections.

To specify TLS 1.3 cipher suites, use:

curl --tls13-ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 https://example.com

If you want to configure allowed ciphers for a connection where the negotiated TLS version could be either 1.2 or 1.3, you can combine both flags in a single command:

curl --ciphers ECDHE-RSA-AES128-GCM-SHA256 --tls13-ciphers TLS_AES_256_GCM_SHA384 https://example.com

Identifying Your SSL Backend and Supported Ciphers

The cipher names you must use depend entirely on the SSL/TLS backend that curl was compiled with. You can identify your backend by running:

curl -V

Look for the “SSL” or “Release-Date” line in the output (e.g., OpenSSL/3.0.2, GnuTLS/3.7.3, or Schannel).