php - PHP cURL: enforce low TLS version
问题描述
Goal is to write PHP code testing for TLS v1.2 connectivity. Getting a successful answer isn't a problem, but I can't produce a failure by using an older TLS version in PHP. Testing failures is obviously needed to prove correctness of code (to some reasonable degree).
On the command line I could come up with this, giving a clear distinction:
$ curl -X POST https://api.paypal.com/v1/oauth2/token
{"name":"AUTHENTICATION_FAILURE", [...]
$ curl --tls-max 1.1 -X POST https://api.paypal.com/v1/oauth2/token
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
In PHP I tried this ...
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.paypal.com/v1/oauth2/token');
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
// $response: '{"name":"AUTHENTICATION_FAILURE", [...]
... which means a succcessful TLS v1.2 connection, as one can see in the CLI example above, despite TLS v1.1 being requested. It's the same result as when requesting CURL_SSLVERSION_TLSv1_2.
This is PHP 7.3.7 with cURL 7.64.0 and I hope I can get away without recompiling PHP just for disabling TLS v1.2 support.
解决方案
为了回答我自己的问题,https://www.php.net/function.curl-setopt上的文档已经过时。cURL 7.54 更改了 CURL_SSLVERSION_ 宏的行为,这些设置现在为连接设置了可接受的最低 TLS 版本。它还引入了 CURL_SSLVERSION_MAX_ 宏,它设置了尝试的最大 TLS 版本。在 PHP 文档更新之前,请参阅https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html。
因此,限制连接到 TLS v1.1 的工作方式如下:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://api.paypal.com/v1/oauth2/token');
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_MAX_TLSv1_1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
推荐阅读
- javascript - 如何将 html 表格单元格中的日期转换为 iso 8601 格式?
- python - 如何在本地目录(不是 C:\Windows\System)中有 avbin.dll(对于 pyglet 1.2.4)
- java - 在调用时将类加载到记录器中
- reactjs - 了解 Reactjs 中组件的破坏性分配
- mongodb - 如何仅从 mongo 的数组中检索查询的对象?
- python - 函数内部 exec() 中定义的子函数的解决方法
- v8 - 想了解 V8 的 WorkerThread(s) 的目的和数量
- tensorflow - 在 keras 模型中使用 kohannenkappa 损失函数
- sql - 选择具有多个主键的行
- java - 为什么我找不到 ProgressiveMediaSource?