diff --git a/cmd/clair/main.go b/cmd/clair/main.go
index 754e54e5..11f0de4c 100644
--- a/cmd/clair/main.go
+++ b/cmd/clair/main.go
@@ -30,6 +30,7 @@ import (
 	"github.com/coreos/clair"
 	"github.com/coreos/clair/api"
 	"github.com/coreos/clair/database"
+	"github.com/coreos/clair/ext/imagefmt"
 	"github.com/coreos/clair/pkg/stopper"
 
 	// Register database driver.
@@ -123,6 +124,7 @@ func main() {
 	flagConfigPath := flag.String("config", "/etc/clair/config.yaml", "Load configuration from the specified file.")
 	flagCPUProfilePath := flag.String("cpu-profile", "", "Write a CPU profile to the specified file before exiting.")
 	flagLogLevel := flag.String("log-level", "info", "Define the logging level.")
+	flagInsecureTLS := flag.Bool("insecure-tls", false, "Disable TLS server's certificate chain and hostname verification when pulling layers.")
 	flag.Parse()
 
 	// Check for dependencies.
@@ -149,5 +151,11 @@ func main() {
 		defer stopCPUProfiling(startCPUProfiling(*flagCPUProfilePath))
 	}
 
+	// Enable TLS server's certificate chain and hostname verification
+	// when pulling layers if specified
+	if *flagInsecureTLS {
+		imagefmt.SetInsecureTLS(*flagInsecureTLS)
+	}
+
 	Boot(config)
 }
diff --git a/ext/imagefmt/driver.go b/ext/imagefmt/driver.go
index 6b14f48e..97f3bf79 100644
--- a/ext/imagefmt/driver.go
+++ b/ext/imagefmt/driver.go
@@ -21,6 +21,7 @@
 package imagefmt
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io"
 	"math"
@@ -38,6 +39,10 @@ var (
 	// ErrCouldNotFindLayer is returned when we could not download or open the layer file.
 	ErrCouldNotFindLayer = commonerr.NewBadRequestError("could not find layer")
 
+	// insecureTLS controls whether TLS server's certificate chain and hostname are verified
+	// when pulling layers, verified in default.
+	insecureTLS = false
+
 	log = capnslog.NewPackageLogger("github.com/coreos/clair", "ext/imagefmt")
 
 	extractorsM sync.RWMutex
@@ -116,7 +121,11 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
 		}
 
 		// Send the request and handle the response.
-		r, err := http.DefaultClient.Do(request)
+		tr := &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: insecureTLS},
+		}
+		client := &http.Client{Transport: tr}
+		r, err := client.Do(request)
 		if err != nil {
 			log.Warningf("could not download layer: %s", err)
 			return nil, ErrCouldNotFindLayer
@@ -148,3 +157,9 @@ func Extract(format, path string, headers map[string]string, toExtract []string)
 
 	return nil, commonerr.NewBadRequestError(fmt.Sprintf("unsupported image format '%s'", format))
 }
+
+// SetInsecureTLS sets the insecureTLS to control whether TLS server's certificate chain
+// and hostname are verified when pulling layers.
+func SetInsecureTLS(insecure bool) {
+	insecureTLS = insecure
+}