TLS 1.2 not working in cURL

I am having trouble curling an HTTPS url that uses TLS1.2, in my curl operation I post my login data into the website and save it in cookiefile. The error message I am getting is this

 error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

I have tried setting VERIFYPEER and VERIFYHOST to 0 but that does not seem to work, any suggestions?

Here are the versions I am using:

  • OpenSSL version is 0.9.8b
  • CURL version is 7.24.0
  • PHP is 5.3

Here is the code:

$setuplogin = curl_init(); 
curl_setopt ($setuploginurl, CURLOPT_URL, $url); 
curl_setopt ($setuploginurl, CURLOPT_SSL_VERIFYPEER, 1); 
curl_setopt ($setuploginurl, CURLOPT_SSL_VERIFYHOST, 1);
curl_setopt ($setuploginurl, CURLOPT_FOLLOWLOCATION, TRUE);
curl_setopt ($setuploginurl, CURLOPT_SSLVERSION, 'CURL_SSLVERSION_TLSv1_2');
curl_setopt ($setuploginurl, CURLOPT_POSTFIELDS, 'username=uname&password=pword&act=login&submit=Login');
curl_setopt ($setuploginurl, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36"); 
curl_setopt (setuploginurl, CURLOPT_TIMEOUT, 60); 
curl_setopt ($setuploginurl, CURLOPT_COOKIESESSION, TRUE); 
curl_setopt ($setuploginurl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($setuploginurl,  CURLOPT_HEADER, 1);
curl_setopt ($setuploginurl,CURLOPT_ENCODING,"gzip");
curl_setopt ($setuploginurl, CURLOPT_POST, true);
curl_setopt ($setuploginurl, CURLOPT_COOKIEJAR, 'cookies.txt'); 
curl_setopt ($setuploginurl, CURLOPT_FRESH_CONNECT , 1);

$loginp= curl_exec($setuploginurl); 
if ($loginp === FALSE) {
    die(curl_error($setuploginurl));
}

curl_close ($setuploginurl); 
var_dump ($loginp);

Answers


You must use an integer value for the CURLOPT_SSLVERSION value, not a string as listed above

Try this:

curl_setopt ($setuploginurl, CURLOPT_SSLVERSION, 6); //Integer NOT string TLS v1.2

http://php.net/manual/en/function.curl-setopt.php

value should be an integer for the following values of the option parameter: CURLOPT_SSLVERSION

One of

CURL_SSLVERSION_DEFAULT (0) CURL_SSLVERSION_TLSv1 (1) CURL_SSLVERSION_SSLv2 (2) CURL_SSLVERSION_SSLv3 (3) CURL_SSLVERSION_TLSv1_0 (4) CURL_SSLVERSION_TLSv1_1 (5) CURL_SSLVERSION_TLSv1_2 (6).


TLS 1.1 and TLS 1.2 are supported since OpenSSL 1.0.1

Forcing TLS 1.1 and 1.2 are only supported since curl 7.34.0

You should consider an upgrade.


I has similar problem in context of Stripe:

Error: Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later. You can learn more about this at https://stripe.com/blog/upgrading-tls.

Forcing TLS 1.2 using CURL parameter is temporary solution or even it can't be applied because of lack of room to place an update. By default TLS test function https://gist.github.com/olivierbellone/9f93efe9bd68de33e9b3a3afbd3835cf showed following configuration:

SSL version: NSS/3.21 Basic ECC
SSL version number: 0
OPENSSL_VERSION_NUMBER: 1000105f
TLS test (default): TLS 1.0
TLS test (TLS_v1): TLS 1.2
TLS test (TLS_v1_2): TLS 1.2

I updated libraries using following command:

yum update nss curl openssl

and then saw this:

SSL version: NSS/3.21 Basic ECC
SSL version number: 0
OPENSSL_VERSION_NUMBER: 1000105f
TLS test (default): TLS 1.2
TLS test (TLS_v1): TLS 1.2
TLS test (TLS_v1_2): TLS 1.2

Please notice that default TLS version changed to 1.2! That globally solved problem. This will help PayPal users too: https://www.paypal.com/au/webapps/mpp/tls-http-upgrade (update before end of June 2017)


Replace following

curl_setopt ($setuploginurl, CURLOPT_SSLVERSION, 'CURL_SSLVERSION_TLSv1_2');

With

curl_setopt ($ch, CURLOPT_SSLVERSION, 6);

Should work flawlessly.


TLS 1.2 is only supported since OpenSSL 1.0.1 (see the Major version releases section), you have to update your OpenSSL.

It is not necessary to set the CURLOPT_SSLVERSION option. The request involves a handshake which will apply the newest TLS version both server and client support. The server you request is using TLS 1.2, so your php_curl will use TLS 1.2 (by default) as well if your OpenSSL version is (or newer than) 1.0.1.


Need Your Help

What are some Search Servers out there?

search full-text-search search-engine solr

I'm looking to find alternatives to Solr from the Apache Software Foundation.