Configure aria2 to Validate Peer Certificate Hostname Ubuntu

This article explains how to enable strict SSL security settings within the aria2 download utility on Ubuntu systems. It covers the specific command-line flags and configuration file options required to force aria2 to verify both the certificate authority and the peer hostname during HTTPS connections, ensuring safer downloads against man-in-the-middle attacks.

By default, aria2 may not strictly validate SSL certificates or hostnames to facilitate easier connections to various servers. To enhance security, you must explicitly enable hostname validation. This ensures that the server you are connecting to matches the domain name listed in its SSL certificate.

Using Command-Line Arguments

You can enable hostname validation for a single session by adding specific flags when running the aria2c command. Use the --check-certificate and --check-hostname options set to true.

aria2c --check-certificate=true --check-hostname=true https://example.com/file.zip

The --check-certificate=true flag ensures the certificate is signed by a trusted authority. The --check-hostname=true flag verifies that the certificate belongs to the specific domain you are downloading from.

Permanent Configuration via aria2.conf

To make these settings permanent so you do not need to type them every time, edit the aria2 configuration file. On Ubuntu, this file is typically located at ~/.aria2/aria2.conf. If the file or directory does not exist, create them.

Open the configuration file in a text editor: bash nano ~/.aria2/aria2.conf
Add or modify the following lines in the file: text check-certificate=true check-hostname=true
Save the file and exit the editor.

Any subsequent aria2 downloads initiated on this user account will now automatically validate the peer certificate hostname. If a server presents an invalid certificate or a hostname mismatch, aria2 will refuse to download the file and display an SSL verification error.