PHP Curl（使用NSS）在连接到https时可能使用TLS的SSLv3 [英] PHP Curl (with NSS) is probably using SSLv3 insted of TLS when connecting to https

问题描述

我在PHP中使用curl库（使用NSS）连接到我的其他服务器。一切都很好，直到上周，当目标服务器停止支持SSLv3由于长笛脆弱性（CloudFlare顺便说一句）。现在，我尝试使用TLS进行连接，但我仍然收到SSL连接错误。

有示例代码，我使用： / p>

  $ ch = curl_init（）; 
 curl_setopt_array（$ ch，array（
 CURLOPT_URL =>'https://www.lumiart.cz'，
 CURLOPT_RETURNTRANSFER => true，
 CURLOPT_SSLVERSION => 1 ，
 CURLOPT_SSL_VERIFYPEER => false，
 CURLOPT_VERBOSE => true 
））; 
 $ output = curl_exec（$ ch）; 
 echo $ output; 
 
 print_r（curl_getinfo（$ ch））; 
 
 echo'error：'。 curl_error（$ ch）; 
 
 curl_close（$ ch）;根据我的理解，将 CURLOPT_SSLVERSION 设置为  


$ b 1 应通过TLS强制连接。

注意：我有 CURLOPT_SSL_VERIFYPEER =

这是输出：

p>

 数组
（
 [url] => https://www.lumiart.cz 
 [content_type] => 
 [http_code] => 0 
 [header_size] => 0 
 [request_size] => 0 
 [filetime] => -1 
 [ssl_verify_result] => 0 
 [redirect_count] => 0 
 [total_time] => 0 
 [namelookup_time] => 2.3E-5 
 [connect_time] => 0.005777 
 [pretransfer_time] => 0 
 [size_upload] => 0 
 [size_download] => 0 
 [speed_download] => 0 
 [speed_upload] => 0 
 [download_content_length] => -1 
 [upload_content_length] => -1 
 [starttransfer_time] => 0 
 [redirect_time] => 0 
 [certinfo] => Array 
（
）
 
 [primary_ip] => 2400：cb00： 2048：1 :: 681c：86f 
 [redirect_url] => 
）
错误：SSL连接错误
  

托管提供商，所以我不能更改任何php.ini配置或更新任何组件。我所有的是phpinfo（）。我检查了TLS支持这些组件版本，它应该是罚款。这里是phpinfo摘录：

  PHP版本5.4.32 
系统Linux wl42-f262 2.6.32-431.5。 1.el6.x86_64＃1 SMP Wed Feb 12 00:41:43 UTC 2014 x86_64 
 
 curl：
 cURL支持已启用
 cURL信息7.19.7 
年龄3 
特性
 AsynchDNS否
调试否
 GSS协商是
 IDN是
 IPv6是
大文件是
 NTLM是
 SPNEGO否
 SSL是
 SSPI否
 krb4否
 libz是
 CharConv否
协议tftp，ftp，telnet，dict，ldap ，ldaps，http，file，https，ftps，scp，sftp 
主机x86_64-redhat-linux-gnu 
 SSL版本NSS / 3.15.3 
 ZLib版本1.2.3 
 libSSH版本libssh2 / 1.4.2 
  

我认为，这个问题是使用SSLv3而不是TLS，我不是100％肯定。所有我正在进行的是SSL连接错误，我不知道，如何找出，哪个SSL版本用于连接。

有没有办法，如何检查，哪个SSL版本用于连接？

感谢您的任何意见。

解决方案>这是一个有趣的问题。

如果您查询 SSLLabs ，您将看到，它仅支持各种ECDHE-ECDSA- *密码，没有其他密码。但是，在 curl 的版本历史记录中，您会发现一个包含ECC密码和NSS库（您使用）的错误只修正curl版本7.36 nss：如果NSS实现它们，则允许使用ECC密码。

由于您使用curl 7.19.7，您的curl太旧，无法与NSS库一起使用必要的密码。这意味着您需要升级您的curl库。

I'm using curl library (with NSS) in PHP to connect to my other server. Everything was fine until last week, when the destination server stoped supporting SSLv3 due to poodle vulnerability (CloudFlare by the way). Now, I'm trying to make connection using TLS, but I'm still getting "SSL connect error".

There is sample code, I'm using:

$ch = curl_init();
curl_setopt_array( $ch, array(
    CURLOPT_URL => 'https://www.lumiart.cz',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_SSLVERSION => 1,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_VERBOSE => true
) );
$output = curl_exec( $ch );
echo $output;

print_r( curl_getinfo( $ch ) );

echo 'error:' . curl_error( $ch );

curl_close($ch);

From my understanding, setting CURLOPT_SSLVERSION to 1 should force connection via TLS.

Note: I have CURLOPT_SSL_VERIFYPEER => false just for debuging and I'm not meaning to leave it there, once I figure this problem out.

This is output:

Array
(
    [url] => https://www.lumiart.cz
    [content_type] => 
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 0
    [redirect_count] => 0
    [total_time] => 0
    [namelookup_time] => 2.3E-5
    [connect_time] => 0.005777
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
    [certinfo] => Array
        (
        )

    [primary_ip] => 2400:cb00:2048:1::681c:86f
    [redirect_url] => 
)
error:SSL connect error

I have all of this at shared hosting provider, so I can't change any php.ini configuration or update any components. All I have is phpinfo(). I've checked for TLS support on these components version and it should be fine. Here is excerpt of phpinfo:

PHP Version 5.4.32
System  Linux wl42-f262 2.6.32-431.5.1.el6.x86_64 #1 SMP Wed Feb 12 00:41:43 UTC 2014 x86_64

curl:
cURL support    enabled
cURL Information    7.19.7
Age 3
Features
AsynchDNS   No
Debug   No
GSS-Negotiate   Yes
IDN Yes
IPv6    Yes
Largefile   Yes
NTLM    Yes
SPNEGO  No
SSL Yes
SSPI    No
krb4    No
libz    Yes
CharConv    No
Protocols   tftp, ftp, telnet, dict, ldap, ldaps, http, file, https, ftps, scp, sftp
Host    x86_64-redhat-linux-gnu
SSL Version NSS/3.15.3
ZLib Version    1.2.3
libSSH Version  libssh2/1.4.2

I think, that problem is usage of SSLv3 instead of TLS, but I'm not 100% sure. All I'm geting is "SSL connect error" and I don't know, how to find out, which SSL version was used to connect.

Is there a way, how to check, which SSL version is used for connection? Or am I missing something?

Thanks for any advice!

解决方案

That's an interesting problem.

If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".

Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.

这篇关于PHP Curl（使用NSS）在连接到https时可能使用TLS的SSLv3的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！