cURL error 35: gnutls_handshake() failed

Question

I am running into the following error from a PHP component that uses CURL to request a URI via SSL:

cURL error 35: gnutls_handshake() failed: A TLS packet with unexpected length was received.

This error occurs in the travis-ci.org environment, but not in any of our test environments. See travis-ci build 144663700.

I have found out that the PHP version running in the Travis worker is compiled again "GnuTLS/2.12.14" on "Ubuntu 12.04.5 LTS" or with "GnuTLS/2.12.23" on "Ubuntu 14.04.3 LTS".

In our development environments, we use standard packages compiled against "OpenSSL/1.0.1t" on Debian (various versions).

Therefore, I assume the problem is related to "GnuTLS/2.12.14" or "GnuTLS/2.12.23", or the parameters with which they have been compiled.

I have tried limiting the SSL versions with the CURL constant CURLOPT_SSLVERSION, but that does not solve the problem.

According to www.ssllabs.com the host in question - api.reporting.cloud - supports TLS 1.2, TLS 1.1 and TLS 1.0.

Would anyone have any hints or pointers for me?

Answer 1

A workaround to this problem is to configure travis-ci to use the standard Ubuntu Trusty php5-cli and php5-curl packages. The standard packages offer the CURL_SSLVERSION_TLSv1_1 constant.

The .travis.yml file looks like this:

sudo: required

dist: trusty

language: php

before_install:
  - sudo apt-get -y install git zip php5-cli php5-curl

before_script:
  - php -r "printf('PHP %s', phpversion());"
  - composer self-update
  - composer install --no-interaction

script:
  - mkdir -p ./build/logs
  - ./vendor/bin/phpunit

In the PHP source, it is then simply a matter of setting the aforementioned constant in the case of the PHP code being executed by travis-ci:

if (getenv('TRAVIS')) {
    $options['curl'][CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1_1;
}

This workaround has the disadvantage that it only works on the specific PHP version that Ubuntu Trusty offers (PHP 5.5). Considering PHP 5.5 reached end of life on July 10, 2016, this solution is not acceptable.

It would be ideal for travis-ci to update to Ubuntu 16.04 LTS, but Brandon Burton, Infrastructure Manager at travis-ci wrote on February 28, 2016:

Given that, we are currently focused on support 12.04 and 14.04 as our primary environments. At the moment, it is unlikely that we'll be supporting 16.04 as a native environment this year.

Therefore, it would seem we are stuck with Ubuntu Trusty for a while.

The root of this problem is that the PHP version that runs on travis-ci was compiled with gnutls-cli (GnuTLS) 2.12.23, from 2011. This specific version of gnutls-cli has problems with some (but not all) TLS 1.2 connections.

@travis-ci: Would it be possible to re-compile the PHP versions you use against a more modern version of GnuTLS -- or at least one that better supports TLS 1.2?