is it possible to POST/GET data to TLSv1.1+ secured site without curl and wget?

Question

I am in this very unfortunate situation:

My website is using outdated software (security patches are applied) with OpenSSL 0.9.8o 01 Jun 2010 which doesn't support TLSv1.1/1.2
I also have payment gateway which is PCI DSS compliant therefore SSL and early TLS is disabled there

My website used to exchange data with payment gateway but as TLSv1.0 is dropped I can no longer use php's cURL library or even file_get_contents() (or wget/lynx/curl via shell)

Is there any workaround, any option how to connect TLSv1.1+ secured server without using built-in libraries?

I know some classes exists in PHP like phpseclib which is SSH client, great for people who can't use SSH2 module

Does something like that exists for PHP? Is there any way I can connect to my gateway?

So far my best idea is connecting to gateway thru other server (with updated software)

Are you stuck with using built-in libraries or can you install additional ones into userspace? — Marek, May 15 '15 at 10:28
@Marek i can't use built-in PHP libraries, lynx, wget, curl because of old openssl lib — Peter, May 15 '15 at 10:35
I know that, I was asking if you can install additional libraties and programs into userspace, ie `$HOME/bin` — Marek, May 15 '15 at 10:41
@Marek oh sorry. yeah i can install apps into home directory — Peter, May 15 '15 at 10:43
Then you should try this path. First install openssl into home, then compile curl linking to your local library, install it into home, set `LD_LIBRARY_PATH` env variable. It will likely not be that simple, newer versions will depend on other newer versions, but it's outside of scope here, any questions should go to http://superuser.com — Marek, May 15 '15 at 11:09
maybe a faster way to solve that: set up a seperate nginx on the same machine with more recent libs. That way you dont have to change your outdated environement in any way but don't have to have another machine running. — Hafenkranich, May 23 '15 at 16:09
Can you have a proxy/nginx box that you will talk to using your current setup? The proxy can be setup to talk to the payment processor using the latest protocols... i.e. Your Macine <--TLS1--> Proxy<--TLS1.1+--->PaymentGW — Lmwangi, May 23 '15 at 21:01

score 4 · Answer 1 · answered May 22 '15 at 08:29

4

Once i used utility called stunnel for my non-TLS client, quote from website:

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code. Its architecture is optimized for security, portability, and scalability (including load-balancing), making it suitable for large deployments.

answered May 22 '15 at 08:29

dafyk

1,042
12
24

I used another approach (see answer made by me) but I guess stunnel would work too. So bounty goes to you, thanks – Peter May 26 '15 at 08:29

score 3 · Answer 2 · answered May 25 '15 at 07:15

Is there any workaround, any option how to connect TLSv1.1+ secured server without using built-in libraries?

I can think of five work-arounds:

1) It is possible (but tricky) to have multiple versions of OpenSSL (or even Curl) installed. You can even use LD_PRELOAD_LIBRARY to make an existing binary use library from somewhere else. I think this is a messy way to do it.

2) This would be really simple with Docker. Unfortunately, it requires a modern kernel, so you probably can't install it on your server. But you could install a more modern OS, then install your server into a Docker container with the older OS. But this may be about as much work as moving your website to a newer OS.

3) Instead of Docker, just use chroot. On a newer box, use "ldd" to find all dependencies. Copy them (plus curl) into a chroot. Copy that dir to your server and run "chrooot dir curl". The binary will see the newer libraries and work. This will only take a few minutes to setup for someone who knows what they are doing.

4) Use a statically-linked version of curl that has a newer OpenSSL compiled in.

5) Use a program that doesn't use OpenSSL. For example some go(lang) programs use their own encryption, and compile to a static binary. For example: https://github.com/astaxie/bat

The first 2 might be a bit impractical in your setup, but any of the last 3 will work.

score 2 · Answer 3 · answered May 20 '15 at 21:05

I liked your initial idea of proxying to another server except you are circumventing the security restrictions imposed by the gateway, and when dealing with payment info, that is probably not a idea.

However, if you can run a Vagrant instance on your own server that has updated libraries, then you can proxy the insecure request to the Vagrant instance on localhost and it doesn't leave the box, then from the Vagrant instance that has updated libraries do the secure communication to your gateway.

or maybe just use a plain apache/nginx on another port on the same machine? — Hafenkranich, May 23 '15 at 16:07

score 1 · Answer 4 · answered May 22 '15 at 20:53

1

I was going to suggest Stunnel. BUT dafyc well noted.

Those PCI restrictions are not implemented to slow people down (only.. lol). They exists for protection.

You will solve your problem with Stunnel. But why don´t update the website server?

You have pinpointed the SSL outdate, but as a server, several other bugs will be available.

If they explore some other weakness and get root access, they will have stunnel password to start exploring what´s in the pipe.

So this does not seems good enough to assure the reliability that PCI wants you to have.

answered May 22 '15 at 20:53

LeoPucciBr

151
1
10

thing is - card processing server IS secure, my client (store) is not (doesn't have to be). – Peter May 23 '15 at 16:31
Indeed. If they start stoling cards from them, the card company can audit you looking for answers. Keep this kind of old servers grouped together in a list. As a counter measure you can block them and show that you are helping them out on the auditing. – LeoPucciBr May 24 '15 at 12:43

score 1 · Answer 5 · answered May 25 '15 at 08:26

I allready posted one answer but than i read in comments that you cant install any tools on server. You can use PHP native functions called PHP Streams. This is code sample for old twitter API:

  $url = 'https://api.twitter.com/1/statuses/public_timeline.json';
  $contextOptions = array(
      'ssl' => array(
          'verify_peer'   => true,
          'cafile'        => '/etc/ssl/certs/ca-certificates.crt',
          'verify_depth'  => 5,
          'CN_match'      => 'api.twitter.com',
          'disable_compression' => true,
          'SNI_enabled'         => true,
          'ciphers'             => 'ALL!EXPORT!EXPORT40!EXPORT56!aNULL!LOW!RC4'
      )
  );
  $sslContext = stream_context_create($contextOptions);
  $result = file_get_contents($url, NULL, $sslContext);

tried that in first place. php uses outdated openssl as well — Peter, May 26 '15 at 08:24

score 0 · Accepted Answer · edited Apr 13 '17 at 12:13

0

I found another solution.

On secure server i set up two VirtualHosts - 443 for TLSv1.2 and another for my website only with TLSv1.0 support

More info here: https://serverfault.com/a/692894/122489

Thanks for all answers.

edited Apr 13 '17 at 12:13

Community

1
1

answered May 26 '15 at 08:26

Peter

16,453
8
51
77

is it possible to POST/GET data to TLSv1.1+ secured site without curl and wget?

6 Answers6