PHP Curl Error 35 - Peer reports incompatible or unsupported protocol version

Question

I'm attempting to make POST requests to an external API(Code below). I manage to get the curl coding working on my localhost but when I go to my staging server the curl returns error Peer reports incompatible or unsupported protocol version(35). From reading into this I need to add an error buffer to get more debugging info but the documentation is confusing.

Yet when I make a curl request directly in the servers terminal with I receive a connection successful. Which makes me extremely confused as the server is clearly capable to make curl requests.

PHP Curl Code

$curl = curl_init();

  curl_setopt_array($curl, array(
    CURLOPT_URL => $url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_ENCODING => "",
    CURLOPT_MAXREDIRS => 10,
    CURLOPT_TIMEOUT => 30,
    CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    CURLOPT_CUSTOMREQUEST => "POST",
    CURLOPT_POSTFIELDS => json_encode($body),
    CURLOPT_HTTPHEADER => $header,
  ));

  $response = curl_exec($curl);
  $err = curl_error($curl);
  echo "response: " . $response;
  echo "<br><br>error: " . $err;

  curl_close($curl);

Server Curl Response curl https://support.zendesk.com/api/v2/users/create_or_update.json

* About to connect() to support.zendesk.com port 443 (#0)
*   Trying 104.16.51.111...
* Connected to support.zendesk.com (104.16.51.111) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*   subject: CN= support.zendesk.com,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
*   start date: Mar 08 00:00:00 2019 GMT
*   expire date: Mar 08 12:00:00 2020 GMT
*   common name: support.zendesk.com
*   issuer: CN=CloudFlare Inc ECC CA-2,O="CloudFlare, Inc.",L=San Francisco,ST=CA,C=US
> GET /api/v2/users/create_or_update.json HTTP/1.1
> User-Agent: curl/7.29.0
> Host: support.zendesk.com
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Fri, 12 Apr 2019 12:52:28 GMT
< Content-Type: application/json; charset=UTF-8
< Content-Length: 37
< Connection: keep-alive
< Set-Cookie: __cfduid=da0ecd56691c96b9b3dac091df58383d51555073548; expires=Sat, 11-Apr-20 12:52:28 GMT; path=/; domain=.ralphandrussoclientcare.zendesk.com; HttpOnly
< WWW-Authenticate: Basic realm="Web Password"
< Strict-Transport-Security: max-age=31536000;
< Cache-Control: no-cache
< X-Zendesk-Origin-Server: app23.pod17.euw1.zdsys.com
< X-Request-Id: 4c65566eacc82981-DUB
< X-Runtime: 0.032000
< X-Zendesk-Request-Id: 3360f95a861586e6f414
< Set-Cookie: __cfruid=7af98f1cbac97922c1c15b82f7c133c3945a446e-1555073548; path=/; domain=.ralphandrussoclientcare.zendesk.com; HttpOnly
< Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< Server: cloudflare
< CF-RAY: 4c65566eacc82981-DUB
< 
* Connection #0 to host support.zendesk.com left intact
{"error":"Couldn't authenticate you"}

What is `-sslv4`? cURL only supports `--sslv2` and `--sslv3`, and both of them are considered insecure. I did not think anyone used them anymore. Also see the [`curl(1)` man page](https://curl.haxx.se/docs/manpage.html). — jww, Apr 12 '19 at 12:50
@jww I'm new to cURL, I just ran up the sslv numbers until it connected which is weirdly at 4, what would you suggest? Response, SSL connection using TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 — Matt Hammond, Apr 12 '19 at 12:52
post the CURLOPT_VERBOSE log from the staging server where it doesn't work. if you don't know how to capture it there because it is sent on stderr, this will post it to php's standard output instead: ```$stderrh=tmpfile();curl_setopt($ch,CURLOPT_STDERR,$stderrh);curl_exec($ch);rewind($stderrh);/*https://bugs.php.net/bug.php?id=76268*/ $stderr=stream_get_contents($stderrh);fclose($stderrh);var_dump($stderr);``` — hanshenrik, Apr 12 '19 at 15:05
@hanshenrik A massive thank you for point me in the right direction. Following the answer in this post (https://stackoverflow.com/questions/30145089/tls-1-2-not-working-in-curl) I used SSLV 6 which allowed me to make the requests — Matt Hammond, Apr 12 '19 at 15:07

Matt Hammond · Accepted Answer · 2019-04-17T15:56:22.713

4

In order to solve this problem I performed a server SSL test using https://www.ssllabs.com/ssltest/ which showed me which Protocols were already open and available on the server.

From that I followed the answer to this question TLS 1.2 not working in cURL which showed me which PHP CURLOPT_SSLVERSION number to use in order to access an open protocol.

Therefore I had to add the following line of code to my Curl Array

CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_2

edited Apr 17 '19 at 15:56

answered Apr 12 '19 at 15:16

Matt Hammond

765
1
7
25

3

you shouldn't use the magic number 6, you should use: `CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_2` – hanshenrik Apr 13 '19 at 08:37

PHP Curl Error 35 - Peer reports incompatible or unsupported protocol version

1 Answers1