2

Good day all. I'm using a payment gateway on a site with a credit card payments, the bank gateway send to all its customers that it will stop all SSL connections starting from the 3rd of January, so I must be sure to doing the right things without tests.

actually I'm using this configuration just before making the connection:

<?php
curl_setopt($curl_handle, CURLOPT_URL,$to_url); 
curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_handle, CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl_handle, CURLOPT_POST, 1);
curl_setopt($curl_handle, CURLOPT_POSTFIELDS, $data);
$buffer = curl_exec($curl_handle);
curl_close($curl_handle);
?>

this is set to false due to debugging needs.

curl_setopt($curl_handle, CURLOPT_SSL_VERIFYPEER, false);

So, I've read that adding:

CURLOPT_SSLVERSION => 1

should force the use of TLS, is that true? Does adding this option will prevent the gateway to ignore my requests? Does it needs some other options?

Matteo Bononi 'peorthyr'
  • 2,170
  • 8
  • 46
  • 95

1 Answers1

0

You might experience connectivity issues, if you don't specify your TLS version, which often happens.

You need the following options:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_setopt($ch, CURLOPT_CAINFO, 'cacert.crt');
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, $array_ciphers);

This way, you will achieve maximum forward secrecy.

You can always remove any of the mentioned parameters, but before you do, make sure you read this detailed explanation of the functions above. Afterwards you can decide what you would like to do.

Let me know, if you have any questions.

Community
  • 1
  • 1
GTodorov
  • 1,993
  • 21
  • 24