Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Verify if curl is using TLS

Tags:

php

curl

ssl

In my PHP app I use PHP's CURL and openssl, to connect and talk using SOAP. Until now, remote server supported SSL and TLS but because of "poodle" bug, admin decided to disable SSL and use TLS only. SSL is supported until the end of January.

I changed my code by adding:

curl_setopt($objCurl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); 

That in theory should force curl to use TLSv1.2.

But that's theory - I need to verify that it actually uses TLS - is there any method for that? There is a method called curl_getinfo(), but info it returns is not useful for me:

[url] => https://www.example.com/soap/MessagingPort [content_type] => text/xml;charset=utf-8 [http_code] => 200 [header_size] => 293 [request_size] => 882 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 0 [total_time] => 0.164487 [namelookup_time] => 3.4E-5 [connect_time] => 3.4E-5 [pretransfer_time] => 0.000122 [size_upload] => 604 [size_download] => 178 [speed_download] => 1082 [speed_upload] => 3672 [download_content_length] => 178 [upload_content_length] => 604 [starttransfer_time] => 0.164477 [redirect_time] => 0 

Big Thanks in advance

like image 376
kayo Avatar asked Jan 12 '15 14:01

kayo


People also ask

Does Curl uses TLS?

This code here uses curl with the parameters --tlsv1. 1 --tls-max 1.1 , which will force the max TLS protocol version to 1.1. Using the --verbose parameter gives you the ability to see the TLS handshake and get the output sent to standard out.

Does Curl use TLS by default?

openssl - curl by default should use tls1.

How do I use TLS version in curl command?

You can use options --tlsv1. 0, --tlsv1. 1, and --tlsv1. 2 to control the TLS version more precisely (if the SSL backend in use supports such a level of control).


1 Answers

Short Answer

Make a request with curl to https://www.howsmyssl.com/

<?php  $ch = curl_init('https://www.howsmyssl.com/a/check'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); curl_close($ch);  $json = json_decode($data); echo $json->tls_version; 

that should output what TLS version was used to connect.

Digging Deeper

Curl relies on the underlying OpenSSL (or NSS) library to do the negotiation of the secure connection. So I believe the right question to ask here is what is the OpenSSL library capable of. If it can handle a TLS connection, then curl can handle a TLS connection.

So how to figure out what the openssl (or NSS) library is capable of?

<?php     $curl_info = curl_version(); echo $curl_info['ssl_version']; 

which is going to dump out something like

OpenSSL/1.0.1k 

Then you can go and have a look at the release notes for that version and see if it includes TLS support.

OpenSSL Release notes - https://www.openssl.org/news/changelog.html

NSS Release notes - https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases

Spoiler Alert

  • openssl includes support for TLS v1.1 and TLS v1.2 in OpenSSL 1.0.1 [14 Mar 2012]
  • NSS included support for TLS v1.1 in 3.14
  • NSS included support for TLS v1.2 in 3.15
like image 84
Jeff Richards Avatar answered Oct 05 '22 18:10

Jeff Richards