TLS Certificate Verification Bypass Library A universal LD_PRELOAD library that disables TLS certificate verification across multiple TLS libraries and platforms.
Cross-platform support : Linux, FreeBSD, OpenBSD, NetBSD, Solaris, AIX, macOSAutomatic platform detection : Single binary adapts to the target platformThread-safe implementation : Platform-specific optimizations for thread safetyComprehensive TLS library support : All major TLS implementations coveredMinimal dependencies : Works on embedded systems and old Linux devicesOpenSSL (1.0.x, 1.1.x, 3.x) BoringSSL LibreSSL GnuTLS (all versions) NSS (Network Security Services) mbedTLS wolfSSL libcurl (HTTP/HTTPS) Standard build (auto-detects platform) gcc -shared -fPIC -O3 -o libtlsnoverify.so tls_noverify.c -ldl # Linux with optimizations# FreeBSD# Solaris# Old Linux devices (minimal dependencies)Note: Use absolute paths for LD_PRELOAD to ensure reliability when applications spawn subprocesses from different directories.
# Basic usage# With debug output# Multiple applications# Web browsers# Python with requests library" print(__import__('requests').get('https://expired.badssl.com/').text)" # Node.js" require('https').get('https://expired.badssl.com',r=>r.on('data',d=>console.log(d+'')))" The library uses LD_PRELOAD to intercept TLS library functions responsible for certificate verification. Key features:
Automatically detects the target platform at compile time Uses platform-specific thread safety mechanisms:Linux : pthread mutexes with futex optimizationSolaris : Atomic operations with memory barriersBSD/macOS : Standard pthread mutexesOpenBSD : Simple atomic swap operations This library completely disables TLS certificate verification. Use only for:
Development and testing Debugging TLS issues Accessing internal services with self-signed certificates Never use in production environments!
TLS_NOVERIFY_DEBUG=1: Enable debug output to stderrTLS_NOVERIFY_BACKTRACE=1: Show stack traces for intercepted functions (Linux, FreeBSD, macOS only)Linux (kernel 2.6+, glibc and musl) FreeBSD 11+ OpenBSD 6+ NetBSD 8+ Solaris 10+ AIX 7.1+ macOS 10.12+ Some statically linked binaries may not be affected Applications using certificate pinning at a higher level may still fail Does not affect certificate validation done in interpreted languages' standard libraries Chrome/Chromium browsers are not supported as they use BoringSSL statically linked into the binary If the library doesn't seem to work:
Enable debug output to verify the library is loaded and intercepting functions:
TLS_NOVERIFY_DEBUG=1 LD_PRELOAD=/tmp/libtlsnoverify.so your_command Use strace to check if the library and target TLS libraries are being loaded:
strace -e openat,open LD_PRELOAD=/tmp/libtlsnoverify.so your_command2>&1 | grep -E" (libtlsnoverify|libssl|libgnutls|libnss)" Verify library path is absolute and the file exists:
ls -la /tmp/libtlsnoverify.so If you see portable_dlsym: self-reference: the target lib is missing and it seems to be lazy loading
# LD_PRELOAD="/path/to/libtlsnoverify.so:/usr/lib/targetlib" wget https://example.com" /path/to/libtlsnoverify.so:/usr/lib/libmbedtls.so.21" Use at your own risk. This tool is provided for testing and debugging purposes only.