php - PHP cURL: enforce low TLS version

问题描述

Goal is to write PHP code testing for TLS v1.2 connectivity. Getting a successful answer isn't a problem, but I can't produce a failure by using an older TLS version in PHP. Testing failures is obviously needed to prove correctness of code (to some reasonable degree).

On the command line I could come up with this, giving a clear distinction:

$ curl -X POST https://api.paypal.com/v1/oauth2/token 
{"name":"AUTHENTICATION_FAILURE", [...]

$ curl --tls-max 1.1 -X POST https://api.paypal.com/v1/oauth2/token 
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

In PHP I tried this ...

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.paypal.com/v1/oauth2/token');
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
// $response: '{"name":"AUTHENTICATION_FAILURE", [...]

... which means a succcessful TLS v1.2 connection, as one can see in the CLI example above, despite TLS v1.1 being requested. It's the same result as when requesting CURL_SSLVERSION_TLSv1_2.

This is PHP 7.3.7 with cURL 7.64.0 and I hope I can get away without recompiling PHP just for disabling TLS v1.2 support.

标签： phpsslcurlphp-curl