连接到https时,PHP Curl(带有NSS)可能使用SSLv3而不是TLS [英] PHP Curl (with NSS) is probably using SSLv3 instead of TLS when connecting to https
问题描述
我正在使用PHP中的curl库(带有NSS)来连接到其他服务器.直到上周一切都还不错,直到目的服务器由于狮子狗漏洞(顺便说一下CloudFlare)而停止支持SSLv3.现在,我正在尝试使用TLS建立连接,但仍然出现"SSL连接错误".
I'm using curl library (with NSS) in PHP to connect to my other server. Everything was fine until last week, when the destination server stoped supporting SSLv3 due to poodle vulnerability (CloudFlare by the way). Now, I'm trying to make connection using TLS, but I'm still getting "SSL connect error".
有示例代码,我正在使用:
There is sample code, I'm using:
$ch = curl_init();
curl_setopt_array( $ch, array(
CURLOPT_URL => 'https://www.lumiart.cz',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSLVERSION => 1,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_VERBOSE => true
) );
$output = curl_exec( $ch );
echo $output;
print_r( curl_getinfo( $ch ) );
echo 'error:' . curl_error( $ch );
curl_close($ch);
据我了解,将CURLOPT_SSLVERSION设置为1应该会强制通过TLS进行连接.
From my understanding, setting CURLOPT_SSLVERSION to 1 should force connection via TLS.
注意:我有CURLOPT_SSL_VERIFYPEER => false只是用于调试,一旦解决了这个问题,我并不是要把它留在那里.
Note: I have CURLOPT_SSL_VERIFYPEER => false just for debuging and I'm not meaning to leave it there, once I figure this problem out.
这是输出:
Array
(
[url] => https://www.lumiart.cz
[content_type] =>
[http_code] => 0
[header_size] => 0
[request_size] => 0
[filetime] => -1
[ssl_verify_result] => 0
[redirect_count] => 0
[total_time] => 0
[namelookup_time] => 2.3E-5
[connect_time] => 0.005777
[pretransfer_time] => 0
[size_upload] => 0
[size_download] => 0
[speed_download] => 0
[speed_upload] => 0
[download_content_length] => -1
[upload_content_length] => -1
[starttransfer_time] => 0
[redirect_time] => 0
[certinfo] => Array
(
)
[primary_ip] => 2400:cb00:2048:1::681c:86f
[redirect_url] =>
)
error:SSL connect error
我在共享主机提供商处拥有所有这些功能,因此我无法更改任何php.ini配置或更新任何组件.我只有phpinfo().我已经检查了这些组件版本的TLS支持,应该没问题.这是phpinfo的摘录:
I have all of this at shared hosting provider, so I can't change any php.ini configuration or update any components. All I have is phpinfo(). I've checked for TLS support on these components version and it should be fine. Here is excerpt of phpinfo:
PHP Version 5.4.32
System Linux wl42-f262 2.6.32-431.5.1.el6.x86_64 #1 SMP Wed Feb 12 00:41:43 UTC 2014 x86_64
curl:
cURL support enabled
cURL Information 7.19.7
Age 3
Features
AsynchDNS No
Debug No
GSS-Negotiate Yes
IDN Yes
IPv6 Yes
Largefile Yes
NTLM Yes
SPNEGO No
SSL Yes
SSPI No
krb4 No
libz Yes
CharConv No
Protocols tftp, ftp, telnet, dict, ldap, ldaps, http, file, https, ftps, scp, sftp
Host x86_64-redhat-linux-gnu
SSL Version NSS/3.15.3
ZLib Version 1.2.3
libSSH Version libssh2/1.4.2
我认为,问题在于使用SSLv3而不是TLS,但我不确定100%.我得到的只是"SSL连接错误",而且我不知道如何查找使用哪个SSL版本进行连接.
I think, that problem is usage of SSLv3 instead of TLS, but I'm not 100% sure. All I'm getting is "SSL connect error" and I don't know, how to find out, which SSL version was used to connect.
有没有一种方法,如何检查使用哪个SSL版本进行连接?还是我错过了什么?
Is there a way, how to check, which SSL version is used for connection? Or am I missing something?
推荐答案
这是一个有趣的问题.
如果您为此站点查询 SSLLabs 您会看到,它仅支持各种ECDHE-ECDSA- *密码,不支持其他密码.但是,在 curl的版本历史记录中,您会发现一个包含ECC密码和NSS库(您使用的库)的bug.仅在curl版本7.36 "nss:如果NSS实现,则允许使用ECC密码" 修复.
If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".
由于您使用的是curl 7.19.7,因此您的curl太旧了,无法与NSS库一起使用必需的密码.这意味着您需要升级curl库.
Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.
这篇关于连接到https时,PHP Curl(带有NSS)可能使用SSLv3而不是TLS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
