Bug 1255920

Summary: No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Product: Red Hat Enterprise Linux 6 Reporter: Andrew Sanders <asanders>
Component: phpAssignee: Remi Collet <rcollet>
Status: CLOSED ERRATA QA Contact: Petr Šplíchal <psplicha>
Severity: medium Docs Contact: Lenka Špačková <lkuprova>
Priority: medium    
Version: 6.7CC: cww, dkutalek, fkrska, jon.dufresne, jorton, kdudka, mark.redding, ohudlick, psplicha, rcollet, zpytela
Target Milestone: rcKeywords: EasyFix, Patch, Reproducer
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-5.3.3-47.el6 Doc Type: Release Note
Doc Text:
PHP *cURL* module now supports TLS 1.1 and TLS 1.2 Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the *curl* library, has been added to the PHP *cURL* extension.
 Story Points: ---
Clone Of:
: 1291667 (view as bug list) Environment:
Last Closed: 2016-05-10 21:38:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1012136    
Bug Blocks: 1172231, 1253743, 1254457, 1269913, 1291667, 1310222    

Description Andrew Sanders 2015-08-21 21:44:55 UTC 
Description of problem:
TLS1.1 and TLS1.2 were included with the release of RHEL6.7.  However, it does not seem that php's curl module can use the new TLS features.

Version-Release number of selected component (if applicable):
curl-7.19.7-46.el6.x86_64 & php-cli-5.3.3-46.el6_6.x86_64

How reproducible:
Every single time.


Steps to Reproduce:
1. Confirm curl version:
# rpm -q curl
curl-7.19.7-46.el6.x86_64


2. Confirm php version:

# rpm -q php-cli
php-cli-5.3.3-46.el6_6.x86_64


3. Prepare test script:

# cat test.php
<?php
 $ch = curl_init();
 if ($ch) {
   if ( !curl_setopt($ch, CURLOPT_URL, "https://www.<redacted>.com")
) return "FAIL1";
   if ( !curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1) )
return "FAIL2";
   if ( !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true) ) return "FAIL3";
   if ( !curl_exec($ch) ) return "FAIL4";
   curl_close($ch);
 }
?>


4. Execute test.php:

# php test.php
PHP Notice:  Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' in /root/php-curl/test.php on line 6

# curl -I https://www.<redacted>.com
curl: (35) SSL connect error


5. Confirm requirement for TLS:

# curl -I --tlsv1.1 https://www.<redacted>.com
HTTP/1.1 302 Found
Date: Fri, 14 Aug 2015 13:51:17 GMT
Server: Apache
Location: https://www.<redacted>.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8



Actual results:
An SSL connect error is encountered.



Expected results:
The web page should be fetched without any SSL errors.



Additional info:

The customer that identified this issue has requested this bug remain public.  Also, they have identified that applying the patch from https://github.com/php/php-src/blob/6c0feb0665f3488ffdc2ab33e9e1b8d3a1af93ae/ext/curl/interface.c#L1215-L1217 appears to demonstrate that php 5.3.3 can handle the TLS options.  Below is the patch:

$ cat SOURCES/php-curl.patch
--- php-5.3.3/ext/curl/interface.c      2010-04-22 08:58:07.000000000 +0000
+++ php-5.3.3/ext/curl/interface.c.patch        2015-08-13 21:40:08.678000000 +0000
@@ -463,6 +463,9 @@
           of options and which version they were introduced */

        /* Constants for curl_setopt() */
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
 #if LIBCURL_VERSION_NUM > 0x070a07 /* CURLOPT_IPRESOLVE is available since curl 7.10.8 */
        REGISTER_CURL_CONSTANT(CURLOPT_IPRESOLVE);
        REGISTER_CURL_CONSTANT(CURL_IPRESOLVE_WHATEVER);

Here is partial output of a successful run from the same server following a rebuild of the RPM with inclusion of the patch:

# php test.php |head

<!DOCTYPE html>

<!-- GROUP CONDITIONAL CLASSES FOR IE - classes taken from http://<redacted2>.com/ on 2013-10-25, with additonal classes added
    ________________________________________________________________________________ -->
<!--[if lt IE 7]>      <html lang="en-US" class="no-js ie lt-ie10 lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html lang="en-US" class="no_js ie ie-7 lt-ie10 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html lang="en-US" class="no_js ie ie-8 lt-ie10 lt-ie9 gt-ie7"> <![endif]-->
<!--[if IE 9 ]>        <html lang="en-US" class="no-js ie ie-9 lt-ie10 gt-ie7 gt-ie8 css-bg-3-of-3"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en-US" class="no-js ie gt-ie7 gt-ie8 gt-ie9 modern-browser css-bg-3-of-3"> <!--<![endif]-->
Comment 1 Andrew Sanders 2015-08-21 21:45:13 UTC 
*** Bug 1255573 has been marked as a duplicate of this bug. ***
Comment 6 Remi Collet 2015-12-14 10:23:28 UTC 
Notice: this constants only exists in PHP 5.5 and curl 7.34.0

Thanks to backport in RH curl version (bug #1012136) these are available.
Comment 7 Remi Collet 2015-12-14 12:47:53 UTC 
Notice: a possible workaround is

defined('CURL_SSLVERSION_TLSv1_1') or define('CURL_SSLVERSION_TLSv1_1', 5);
Comment 14 errata-xmlrpc 2016-05-10 21:38:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0842.html