When testing HTTPS endpoints with ApacheBench (ab), you might encounter the frustrating error: Verify return code: 20 (unable to get local issuer certificate). Unlike wget's convenient --no-check-certificate flag, ab doesn't offer a direct parameter to skip SSL verification.

This occurs because ab uses OpenSSL for secure connections and performs strict certificate validation by default. The error suggests either:

• The server's certificate isn't properly signed by a trusted CA
• Your local CA store is missing intermediate certificates
• There's a hostname mismatch in the certificate

For development/testing purposes (NOT production), consider these approaches:

1. Use openssl s_client to Debug First

openssl s_client -connect example.com:443 -showcerts

This helps identify specific certificate chain issues before attempting to bypass validation.

2. Environment Variable Solution

Set this before running ab:

export OPENSSL_CONF=/dev/null
ab -n 100 -c 10 https://example.com/

This effectively disables certificate verification by pointing OpenSSL to an empty configuration.

3. Using socat as a Proxy

Create a local unencrypted proxy:

socat TCP-LISTEN:8080,reuseaddr,fork openssl:example.com:443,verify=0 &
ab -n 100 -c 10 http://localhost:8080/

If you frequently need this functionality, consider these alternatives that support disabling SSL verification:

curl -k https://example.com
wget --no-check-certificate https://example.com

Remember that disabling SSL verification exposes you to man-in-the-middle attacks. These solutions should only be used in:

• Local development environments
• Testing against servers with self-signed certs
• When you fully control the network path

For production systems, you should:

1. Properly install the missing CA certificates
2. Configure your system's certificate store
3. Consider using Let's Encrypt for free valid certificates

---

When using ApacheBench (ab) for load testing HTTPS endpoints, you might encounter the frustrating error: Verify return code: 20 (unable to get local issuer certificate). Unlike wget which has the convenient --no-check-certificate flag, ab doesn't provide a direct equivalent.

During development and testing, we often work with:

• Self-signed certificates
• Internal CA-signed certificates
• Test environments with incomplete cert chains

Forcing certificate validation in these scenarios breaks automated testing workflows.

While ab doesn't have a built-in option, here are practical solutions:

1. Using openssl s_client for Debugging

First verify your certificate chain manually:

openssl s_client -connect example.com:443 -showcerts

2. Environment Variable Solution

For one-time testing, you can disable verification:

export SSL_CERT_FILE="" 
ab -n 100 -c 10 https://example.com/

3. Modify openssl.cnf (Permanent Solution)

Edit your OpenSSL configuration (location varies by OS):

[openssl_def]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyRenegotiation

If you need more flexibility, consider these alternatives:

# Using curl with --insecure
curl --insecure -X GET https://example.com

# Using httpress with -k flag
httpress -k -n 100 -c 10 https://example.com

Remember these workarounds should only be used in test environments. In production, you should:

1. Properly configure your certificate chain
2. Use valid certificates from trusted CAs
3. Consider using tools like Let's Encrypt