In my PHP app I use PHP's CURL and openssl, to connect and talk using SOAP. Until now, remote server supported SSL and TLS but because of "poodle" bug, admin decided to disable SSL and use TLS only. SSL is supported until the end of January.
I changed my code by adding:
curl_setopt($objCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
That in theory should force curl to use TLSv1.2.
But that's theory - I need to verify that it actually uses TLS - is there any method for that? There is a method called curl_getinfo(), but info it returns is not useful for me:
[url] => https://www.example.com/soap/MessagingPort [content_type] => text/xml;charset=utf-8 [http_code] => 200 [header_size] => 293 [request_size] => 882 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 0 [total_time] => 0.164487 [namelookup_time] => 3.4E-5 [connect_time] => 3.4E-5 [pretransfer_time] => 0.000122 [size_upload] => 604 [size_download] => 178 [speed_download] => 1082 [speed_upload] => 3672 [download_content_length] => 178 [upload_content_length] => 604 [starttransfer_time] => 0.164477 [redirect_time] => 0
Big Thanks in advance
This code here uses curl with the parameters --tlsv1. 1 --tls-max 1.1 , which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.
openssl - curl by default should use tls1.
You can use options --tlsv1. 0, --tlsv1. 1, and --tlsv1. 2 to control the TLS version more precisely (if the SSL backend in use supports such a level of control).
Short Answer
Make a request with curl to https://www.howsmyssl.com/
<?php $ch = curl_init('https://www.howsmyssl.com/a/check'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); curl_close($ch); $json = json_decode($data); echo $json->tls_version;
that should output what TLS version was used to connect.
Digging Deeper
Curl relies on the underlying OpenSSL (or NSS) library to do the negotiation of the secure connection. So I believe the right question to ask here is what is the OpenSSL library capable of. If it can handle a TLS connection, then curl can handle a TLS connection.
So how to figure out what the openssl (or NSS) library is capable of?
<?php $curl_info = curl_version(); echo $curl_info['ssl_version'];
which is going to dump out something like
OpenSSL/1.0.1k
Then you can go and have a look at the release notes for that version and see if it includes TLS support.
OpenSSL Release notes - https://www.openssl.org/news/changelog.html
NSS Release notes - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases
Spoiler Alert
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With