v.22.10Improvement

Only Allow Clients with Invalid Certificates to Use '--accept-certificate' Flag

Published: November 25, 2025

Only allow clients connecting to a secure server with an invalid certificate only to proceed with the '--accept-certificate' flag. #41743 (Yakov Olkhovskiy).

Introduces a security feature that restricts clients connecting to ClickHouse servers with invalid TLS certificates to only proceed if they explicitly use the --accept-certificate flag.

Why it matters

This feature enhances security by preventing silent acceptance of invalid certificates during client connections, thereby reducing the risk of man-in-the-middle attacks or unauthorized access when using secure servers with TLS. It ensures users knowingly accept the potential risks by requiring explicit consent.

How to use it

When connecting to a ClickHouse server with an invalid TLS certificate, users must add the --accept-certificate flag to their client command line to proceed with the connection. Without this flag, the connection will be refused.

Related resources

Pull Request #41743