Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
2nd Edition GlitchZone RHC 320x100 2
LECS 970x120 1
tls-preloader introduced: the library that disables TLS certificate verification

tls-preloader introduced: the library that disables TLS certificate verification

10 September 2025 09:00

A Limes Security researcher, under the pseudonym f0rw4rd, has presented a new tool for developers and testers: tls-preloader. This is a universal library that allows you to completely disable TLS certificate verification, simplifying debugging and analyzing applications with encrypted connections.

The solution is distributed as the LD_PRELOAD library, which integrates functions from the most popular TLS libraries. It works with OpenSSL (including versions 1.0.x, 1.1.x, and 3.x), BoringSSL, LibreSSL, GnuTLS, NSS, mbedTLS, and wolfSSL, and can bypass libcurl’s built-in checks.

The authors note that the library is cross-platform, supporting Linux, FreeBSD, OpenBSD, NetBSD, Solaris, AIX, and macOS. During compilation, the target platform’s capabilities are automatically taken into account and thread-safety optimizations are applied, from pthread mutexes to atomic operations.

Using tls-preloader is a breeze: just compile the library and load it using LD_PRELOAD. After that, you can run any program, from curl and wget to Python or Firefox scripts, with certificate checking disabled. For convenience, a debug mode and the ability to generate stack traces when calling intercepted functions are provided.

In OpenSSL and its derivatives, the library intercepts the SSL_CTX_set_verify() functions and the X509_verify_cert() related host and certificate expiration checks. In GnuTLS, these mechanisms are circumvented by gnutls_certificate_verify_peers, while in NSS the SSL_BadCertHook() and CERT_VerifyCert() hooks are used. Similar techniques are applied to other TLS implementations.

The tool is aimed at developers and testers who work with self-signed or expired certificates and need quick debugging. The authors emphasize that using the library in production systems is strictly discouraged, as it completely removes one of the key elements of HTTPS protection.

The project’s limitations include the inability to work with statically compiled binaries and the lack of support for Chrome and Chromium browsers, which have BoringSSL built-in. Additionally, applications with strict certificate pinning may still block connections.

The project is open source and available on GitHub.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Immagine del sito
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.