v.24.7New Feature

Support for accept_invalid_certificate in client config for self-signed certificate connections

Published: November 25, 2025

Support accept_invalid_certificate in client's config in order to allow for client to connect over secure TCP to a server running with self-signed certificate - can be used as a shorthand for corresponding openSSL client settings verificationMode=none + invalidCertificateHandler.name=AcceptCertificateHandler. #65238 (peacewalker122).

Added support for the accept_invalid_certificate option in the client's configuration to allow connections over secure TCP to servers using self-signed certificates.

Why it matters

This feature simplifies connecting clients to ClickHouse servers running with self-signed SSL certificates by providing a straightforward configuration flag that disables certificate verification, avoiding the need for complex OpenSSL client settings.

How to use it

In the client's configuration, set accept_invalid_certificate=true to allow connections to servers with self-signed certificates. This acts as a shorthand for setting openSSL.verificationMode=none and openSSL.invalidCertificateHandler.name=AcceptCertificateHandler.

Related resources

Pull Request #65238