SSL, HTTP Proxy Security Settings

If you're in an environment using an older TTS bundle, with an older encryption, follow this guide. By default LiteLLM uses the certifi CA bundle for SSL verification, which is compatible with most modern servers. However, if you need to disable SSL verification or use a custom CA bundle, you can do so by following the steps below.

Be aware that environmental variables take precedence over the settings in the SDK.

LiteLLM uses HTTPX for network requests, unless otherwise specified.

1. Custom CA Bundle

You can set a custom CA bundle file path using the SSL_CERT_FILE environmental variable or passing a string to the the ssl_verify setting.

SDK
PROXY
Environment Variables

import litellm
litellm.ssl_verify = "client.pem"

litellm_settings:
  ssl_verify: "client.pem"

export SSL_CERT_FILE="client.pem"

2. Disable SSL verification

SDK
PROXY
Environment Variables

import litellm
litellm.ssl_verify = False

litellm_settings:
  ssl_verify: false

export SSL_VERIFY="False"

3. Lower security settings

The ssl_security_level allows setting a lower security level for SSL connections.

SDK
PROXY
Environment Variables

import litellm
litellm.ssl_security_level = "DEFAULT@SECLEVEL=1"

litellm_settings:
  ssl_security_level: "DEFAULT@SECLEVEL=1"

export SSL_SECURITY_LEVEL="DEFAULT@SECLEVEL=1"

4. Certificate authentication

The SSL_CERTIFICATE environmental variable or ssl_certificate attribute allows setting a client side certificate to authenticate the client to the server.

SDK
PROXY
Environment Variables

import litellm
litellm.ssl_certificate = "/path/to/certificate.pem"

litellm_settings:
  ssl_certificate: "/path/to/certificate.pem"

export SSL_CERTIFICATE="/path/to/certificate.pem"

5. Configure ECDH Curve for SSL/TLS Performance

The ssl_ecdh_curve setting allows you to configure the Elliptic Curve Diffie-Hellman (ECDH) curve used for SSL/TLS key exchange. This is particularly useful for disabling Post-Quantum Cryptography (PQC) to improve performance in environments where PQC is not required.

Use Case: Some OpenSSL 3.x systems enable PQC by default, which can slow down TLS handshakes. Setting the ECDH curve to X25519 disables PQC and can significantly improve connection performance.

SDK
PROXY
Environment Variables

import litellm
litellm.ssl_ecdh_curve = "X25519"  # Disables PQC for better performance

litellm_settings:
  ssl_ecdh_curve: "X25519"

export SSL_ECDH_CURVE="X25519"

Common Valid Curves:

X25519 - Modern, fast curve (recommended for disabling PQC)
prime256v1 - NIST P-256 curve
secp384r1 - NIST P-384 curve
secp521r1 - NIST P-521 curve

Note: If an invalid curve name is provided or if your Python/OpenSSL version doesn't support this feature, LiteLLM will log a warning and continue with default curves.

6. Use HTTP_PROXY environment variable

Both httpx and aiohttp libraries use urllib.request.getproxies from environment variables. Before client initialization, you may set proxy (and optional SSL_CERT_FILE) by setting the environment variables:

SDK
PROXY

import litellm
litellm.aiohttp_trust_env = True

export HTTPS_PROXY='http://username:password@proxy_uri:port'

export HTTPS_PROXY='http://username:password@proxy_uri:port'
export AIOHTTP_TRUST_ENV='True'

1. Custom CA Bundle​

2. Disable SSL verification​

3. Lower security settings​

4. Certificate authentication​

5. Configure ECDH Curve for SSL/TLS Performance​

6. Use HTTP_PROXY environment variable​