Login/Register
PHP Curl (with NSS) is probably using SSLv3 instead of TLS when connecting to https
Asked Answered
Solved phpsslcurlhttpsnss
M

4

12

I'm using curl library (with NSS) in PHP to connect to my other server. Everything was fine until last week, when the destination server stoped supporting SSLv3 due to poodle vulnerability (CloudFlare by the way). Now, I'm trying to make connection using TLS, but I'm still getting "SSL connect error".

There is sample code, I'm using:

$ch = curl_init();
curl_setopt_array( $ch, array(
    CURLOPT_URL => 'https://www.lumiart.cz',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_SSLVERSION => 1,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_VERBOSE => true
) );
$output = curl_exec( $ch );
echo $output;

print_r( curl_getinfo( $ch ) );

echo 'error:' . curl_error( $ch );

curl_close($ch);

From my understanding, setting CURLOPT_SSLVERSION to 1 should force connection via TLS.

Note: I have CURLOPT_SSL_VERIFYPEER => false just for debuging and I'm not meaning to leave it there, once I figure this problem out.

This is output:

Array
(
    [url] => https://www.lumiart.cz
    [content_type] => 
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0
    [namelookup_time] => 2.3E-5
    [connect_time] => 0.005777
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
    [certinfo] => Array
        (
        )

    [primary_ip] => 2400:cb00:2048:1::681c:86f
    [redirect_url] => 
)
error:SSL connect error

I have all of this at shared hosting provider, so I can't change any php.ini configuration or update any components. All I have is phpinfo(). I've checked for TLS support on these components version and it should be fine. Here is excerpt of phpinfo:

PHP Version 5.4.32
System  Linux wl42-f262 2.6.32-431.5.1.el6.x86_64 #1 SMP Wed Feb 12 00:41:43 UTC 2014 x86_64

curl:
cURL support    enabled
cURL Information    7.19.7
Age 3
Features
AsynchDNS   No
Debug   No
GSS-Negotiate   Yes
IDN Yes
IPv6    Yes
Largefile   Yes
NTLM    Yes
SPNEGO  No
SSL Yes
SSPI    No
krb4    No
libz    Yes
CharConv    No
Protocols   tftp, ftp, telnet, dict, ldap, ldaps, http, file, https, ftps, scp, sftp
Host    x86_64-redhat-linux-gnu
SSL Version NSS/3.15.3
ZLib Version    1.2.3
libSSH Version  libssh2/1.4.2

I think, that problem is usage of SSLv3 instead of TLS, but I'm not 100% sure. All I'm getting is "SSL connect error" and I don't know, how to find out, which SSL version was used to connect.

Is there a way, how to check, which SSL version is used for connection? Or am I missing something?

Mishmash answered 19/10, 2014 at 16:35 Comment(4)
"I can't change any php.ini configuration or update any components" - but your host can, and are more-or-less obliged to for security issues like this so you should talk to them too. I had a similar problem in Java a while back where it defaulted to using the SSLv3 handshake even if it was only allowed to use it negotiate TLSv1+, and the server I was talking to refused to accept SSLv3 even for the handshake, so that might be the problem here but I wouldn't know how to tell sorry.Amhara
Thanks, I've checked on version of those components (php, curl, NSS), and all of them should be fine with TLS support. They are not that outdated, so I don't know, if updating would make any difference even If I convince my host to do that.Mishmash
@Mishmash did you figure this out? I'm trying to connect to a server with TLS since it disabled SSL it just won't seem to let me.Profiterole
@TerisL Well, not really. Problem is in curl version, like Steffen mentioned below. I've tried to convince my host to update curl library, but It seem, that they won't do it (suprisingly...). If you need simple connection, you could try fopen (php.vrana.cz/alternativa-ke-knihovne-curl.php (sorry for czech, but the code is selfexplanatory)). I actually do need to use curl, so now I'm trying to find a way, how to not use https for only one IP and use some other means of securing the transfer, without SSL. But that is not very good solution. Without curl updated is's probably only one :(Mishmash
G
21

That's an interesting problem.

If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".

Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.

Geis answered 19/10, 2014 at 18:6 Comment(6)
I would never connect all that together :) thanks! I'll try to bug my host about that.Mishmash
This is becoming sort of a big deal with so many service providers killing SSL and requesting that you switch to TLS. I'm getting lots of support requests from users of tools where their web host has a prior version cURL and aren't willing to update it (for whatever reason).Japanese
I thought I had this figured out when I found your answer here, but now I have people running cURL 7.38.0 who are getting this error when I set TLSv1 specifically: "Unknown cipher in list: TLSv1". How am I supposed to get this working for everybody regardless of their cURL version? Very confused right now.Japanese
Unfortunately a lot can go wrong with SSL and often the error messages don't show the real problem. I would suggest that this is a different problem so better start a new question and provide as much information as possible. The best thing would be as much information that one can reproduce the problem so that one can debug it.Geis
If you find yourself in a major compatibility issue regarding ciphers, there is one remaining "old" cipher that hasn't been broken completely (but is merely weak)... 3DES... I've had to enable that to allow some antiquated clients to connect to things...Raving
@BrianKnoblauch: please read the answer: "...only supports various ECDHE-ECDSA-* ciphers and no other ciphers" and the problem is that none of these is supported by this curl version. Which means your recommendation does not help in this case.Geis
G
13

I have Curl 7.21.7 and PHP 5.4.34, and this seemed to do the trick for me:

curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

More info here, although it doesn't say when CURL_SSLVERSION_TLSv1 was introduced.

Garibold answered 31/10, 2014 at 7:46 Comment(1)
Thank you, but this don't work in my setup. I'm still geting error "SSL connect error". I've tried also CURL_SSLVERSION_TLSv1_0 and so on, but they don't work either, as expected (since they were added in later versions)Mishmash
T
5

The answer for me was to use an integer value instead of a string.. i.e.: Change: 

curl_setopt($ch, CURLOPT_SSLVERSION_TLSv1_2);

To:

curl_setopt($ch, CURLOPT_SSLVERSION, 6);

Or for tlsv1_1:

curl_setopt($ch, CURLOPT_SSLVERSION, 5);

Here's the full list:

CURL_SSLVERSION_DEFAULT (0)
CURL_SSLVERSION_TLSv1 (1)
CURL_SSLVERSION_SSLv2 (2)
CURL_SSLVERSION_SSLv3 (3)
CURL_SSLVERSION_TLSv1_0 (4)
CURL_SSLVERSION_TLSv1_1 (5)
CURL_SSLVERSION_TLSv1_2 (6)

I'm running the following by the way:

curl-7.19.7-46.el6.x86_64
nss-3.21.0-0.3.el6_7.x86_64
Talesman answered 8/4, 2016 at 20:40 Comment(0)
S
3

Duplicate answer SSL error can not change to TLS proposed :

Try adding CURLOPT_SSL_CIPHER_LIST => 'TLSv1' to your PPHttpConfig.php.

( and discussed here Update PHP cURL request from SSLv3 to TLS..? too ).

As usefully commented, this apply to openssl curl library, not to nss.

Swallowtailed answered 5/11, 2014 at 19:18 Comment(1)
I've tried that, but it's not my case. This exact setting work only for OpenSSL. For NSS the list of cyphers can be found here: git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html but none of the ECDHE cyphers don't work for me. It's most likely due to version of curl/NNS my host has, as mentioned before. Thanks for reviewing!Mishmash

© 2022 - 2024 — McMap. All rights reserved.