Red Hot Cyber, The cybersecurity news

Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Spanish Italian
Search

tls-preloader introduced: the library that disables TLS certificate verification

Redazione RHC : 10 September 2025 09:00

A Limes Security researcher, under the pseudonym f0rw4rd, has presented a new tool for developers and testers: tls-preloader. This is a universal library that allows you to completely disable TLS certificate verification, simplifying debugging and analyzing applications with encrypted connections.

The solution is distributed as the LD_PRELOAD library, which integrates functions from the most popular TLS libraries. It works with OpenSSL (including versions 1.0.x, 1.1.x, and 3.x), BoringSSL, LibreSSL, GnuTLS, NSS, mbedTLS, and wolfSSL, and can bypass libcurl’s built-in checks.

The authors note that the library is cross-platform, supporting Linux, FreeBSD, OpenBSD, NetBSD, Solaris, AIX, and macOS. During compilation, the target platform’s capabilities are automatically taken into account and thread-safety optimizations are applied, from pthread mutexes to atomic operations.

Using tls-preloader is a breeze: just compile the library and load it using LD_PRELOAD. After that, you can run any program, from curl and wget to Python or Firefox scripts, with certificate checking disabled. For convenience, a debug mode and the ability to generate stack traces when calling intercepted functions are provided.

In OpenSSL and its derivatives, the library intercepts the SSL_CTX_set_verify() functions and the X509_verify_cert() related host and certificate expiration checks. In GnuTLS, these mechanisms are circumvented by gnutls_certificate_verify_peers, while in NSS the SSL_BadCertHook() and CERT_VerifyCert() hooks are used. Similar techniques are applied to other TLS implementations.

The tool is aimed at developers and testers who work with self-signed or expired certificates and need quick debugging. The authors emphasize that using the library in production systems is strictly discouraged, as it completely removes one of the key elements of HTTPS protection.

The project’s limitations include the inability to work with statically compiled binaries and the lack of support for Chrome and Chromium browsers, which have BoringSSL built-in. Additionally, applications with strict certificate pinning may still block connections.

The project is open source and available on GitHub.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli