1

I need integration of my company website with external web services which require Curl and TLS 1.2.

I enabled php_curl.dll and set curl.cainfo with the right pem file path on php.ini.

Now curl is working but only with TLS 1.0, even with CURLOPT_SSLVERSION option set to 6:

  $c = curl_init();
  curl_setopt($c, CURLOPT_URL, "https://www.howsmyssl.com/a/check");
  curl_setopt($c, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($c, CURLOPT_SSLVERSION, 6);

I'm working on a WAMP server with Apache 2.4, PHP 5.4.16 - MSVC9 - NTS - CGI/FastCGI.

Scrolling phpinfo() page, on section "PHP Variables" I see

_SERVER["SERVER_SOFTWARE"]  Apache/2.4.10 (Win32) OpenSSL/1.0.1j mod_fcgid/2.3.9
_SERVER["SSL_VERSION_LIBRARY"]  OpenSSL/1.0.1j

while on "openssl" section I see

OpenSSL Library Version     OpenSSL 0.9.8y 5 Feb 2013
OpenSSL Header Version      OpenSSL 0.9.8y 5 Feb 2013

and on "curl" section:

cURL support    enabled
cURL Information    7.30.0 
SSL Yes
SSL Version     OpenSSL/0.9.8y

Can someone tell me why PHP is using OpenSSL 1.0.1j and Curl 0.9.8y?

How can I have Curl set on TLS 1.2 without upgrading PHP?

Jason Aller
  • 3,541
  • 28
  • 38
  • 38
S.S.
  • 21
  • 1
  • 4
  • Possible duplicate of [TLS 1.2 not working in cURL](https://stackoverflow.com/questions/30145089/tls-1-2-not-working-in-curl) – Nigel Ren Jun 26 '18 at 13:28
  • Think the relevant part of the duplicate is 'Forcing TLS 1.1 and 1.2 are only supported since curl 7.34.0' – Nigel Ren Jun 26 '18 at 13:29
  • why don't you want to update your php version ? it is deprecated since Sep 2015... you should really update to a more recent version which will fix many security flaws as well as performance improvements. (same for openssl and curl) – ᴄʀᴏᴢᴇᴛ Jun 26 '18 at 13:38
  • I know I should update PHP version and I will do it but it's a long work, because I need to find the perfect php configuration with particular extensions I need, and I have test all sites and application hosted for compatibility with new versions of php and extensions. And now I need TLS 1.2 for integration with some web services as soon as possible. – S.S. Jun 26 '18 at 14:13
  • What you see in SERVER_SOFTWARE is the OpenSSL version used by Apache (the one it has been compiled with), which is something completely separate from what PHP/cURL library inside PHP are using for OpenSSL. Also all of this clearly shows it is time now to upgrade your whole stack. You will have then far less problems than trying to shoehorn newer TLS features into old software... – Patrick Mevzek Jun 26 '18 at 14:50
  • Oh yes, I'm aware of that, thank you. I will do it. But now I need to make it work with this version. What can I do? Update php_curl.dll or php_openssl.dll? Where to find compiled libs for WIN32? – S.S. Jun 26 '18 at 15:23

0 Answers0