Verify if curl is using TLS

Question

In my PHP app I use PHP's CURL and openssl, to connect and talk using SOAP. Until now, remote server supported SSL and TLS but because of "poodle" bug, admin decided to disable SSL and use TLS only. SSL is supported until the end of January.

I changed my code by adding:

curl_setopt($objCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); 

That in theory should force curl to use TLSv1.2.

But that's theory - I need to verify that it actually uses TLS - is there any method for that? There is a method called curl_getinfo(), but info it returns is not useful for me:

[url] => https://www.example.com/soap/MessagingPort [content_type] => text/xml;charset=utf-8 [http_code] => 200 [header_size] => 293 [request_size] => 882 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 0 [total_time] => 0.164487 [namelookup_time] => 3.4E-5 [connect_time] => 3.4E-5 [pretransfer_time] => 0.000122 [size_upload] => 604 [size_download] => 178 [speed_download] => 1082 [speed_upload] => 3672 [download_content_length] => 178 [upload_content_length] => 604 [starttransfer_time] => 0.164477 [redirect_time] => 0 

Big Thanks in advance

Answer 1

Short Answer

Make a request with curl to https://www.howsmyssl.com/

<?php  $ch = curl_init('https://www.howsmyssl.com/a/check'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); curl_close($ch);  $json = json_decode($data); echo $json->tls_version; 

that should output what TLS version was used to connect.

Digging Deeper

Curl relies on the underlying OpenSSL (or NSS) library to do the negotiation of the secure connection. So I believe the right question to ask here is what is the OpenSSL library capable of. If it can handle a TLS connection, then curl can handle a TLS connection.

So how to figure out what the openssl (or NSS) library is capable of?

<?php     $curl_info = curl_version(); echo $curl_info['ssl_version']; 

which is going to dump out something like

OpenSSL/1.0.1k 

Then you can go and have a look at the release notes for that version and see if it includes TLS support.

OpenSSL Release notes - https://www.openssl.org/news/changelog.html

NSS Release notes - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases

Spoiler Alert

• openssl includes support for TLS v1.1 and TLS v1.2 in OpenSSL 1.0.1 [14 Mar 2012]
• NSS included support for TLS v1.1 in 3.14
• NSS included support for TLS v1.2 in 3.15