Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1255920

Summary: No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Product: Red Hat Enterprise Linux 6 Reporter: Andrew Sanders <asanders>
Component: phpAssignee: Remi Collet <rcollet>
Status: CLOSED ERRATA QA Contact: Petr Šplíchal <psplicha>
Severity: medium Docs Contact: Lenka Špačková <lkuprova>
Priority: medium    
Version: 6.7CC: cww, dkutalek, fkrska, jon.dufresne, jorton, kdudka, mark.redding, ohudlick, psplicha, rcollet, zpytela
Target Milestone: rcKeywords: EasyFix, Patch, Reproducer
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: php-5.3.3-47.el6 Doc Type: Release Note
Doc Text:
PHP *cURL* module now supports TLS 1.1 and TLS 1.2 Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the *curl* library, has been added to the PHP *cURL* extension.
 Story Points: ---
Clone Of:
: 1291667 (view as bug list) Environment:
Last Closed: 2016-05-10 21:38:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1012136    
Bug Blocks: 1172231, 1253743, 1254457, 1269913, 1291667, 1310222    

Description Andrew Sanders 2015-08-21 21:44:55 UTC 
Description of problem:
TLS1.1 and TLS1.2 were included with the release of RHEL6.7.  However, it does not seem that php's curl module can use the new TLS features.

Version-Release number of selected component (if applicable):
curl-7.19.7-46.el6.x86_64 & php-cli-5.3.3-46.el6_6.x86_64

How reproducible:
Every single time.


Steps to Reproduce:
1. Confirm curl version:
# rpm -q curl
curl-7.19.7-46.el6.x86_64


2. Confirm php version:

# rpm -q php-cli
php-cli-5.3.3-46.el6_6.x86_64


3. Prepare test script:

# cat test.php
<?php
 $ch = curl_init();
 if ($ch) {
   if ( !curl_setopt($ch, CURLOPT_URL, "https://www.<redacted>.com")
) return "FAIL1";
   if ( !curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1) )
return "FAIL2";
   if ( !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true) ) return "FAIL3";
   if ( !curl_exec($ch) ) return "FAIL4";
   curl_close($ch);
 }
?>


4. Execute test.php:

# php test.php
PHP Notice:  Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' in /root/php-curl/test.php on line 6

# curl -I https://www.<redacted>.com
curl: (35) SSL connect error


5. Confirm requirement for TLS:

# curl -I --tlsv1.1 https://www.<redacted>.com
HTTP/1.1 302 Found
Date: Fri, 14 Aug 2015 13:51:17 GMT
Server: Apache
Location: https://www.<redacted>.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8



Actual results:
An SSL connect error is encountered.



Expected results:
The web page should be fetched without any SSL errors.



Additional info:

The customer that identified this issue has requested this bug remain public.  Also, they have identified that applying the patch from https://github.com/php/php-src/blob/6c0feb0665f3488ffdc2ab33e9e1b8d3a1af93ae/ext/curl/interface.c#L1215-L1217 appears to demonstrate that php 5.3.3 can handle the TLS options.  Below is the patch:

$ cat SOURCES/php-curl.patch
--- php-5.3.3/ext/curl/interface.c      2010-04-22 08:58:07.000000000 +0000
+++ php-5.3.3/ext/curl/interface.c.patch        2015-08-13 21:40:08.678000000 +0000
@@ -463,6 +463,9 @@
           of options and which version they were introduced */

        /* Constants for curl_setopt() */
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
 #if LIBCURL_VERSION_NUM > 0x070a07 /* CURLOPT_IPRESOLVE is available since curl 7.10.8 */
        REGISTER_CURL_CONSTANT(CURLOPT_IPRESOLVE);
        REGISTER_CURL_CONSTANT(CURL_IPRESOLVE_WHATEVER);

Here is partial output of a successful run from the same server following a rebuild of the RPM with inclusion of the patch:

# php test.php |head

<!DOCTYPE html>

<!-- GROUP CONDITIONAL CLASSES FOR IE - classes taken from http://<redacted2>.com/ on 2013-10-25, with additonal classes added
    ________________________________________________________________________________ -->
<!--[if lt IE 7]>      <html lang="en-US" class="no-js ie lt-ie10 lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html lang="en-US" class="no_js ie ie-7 lt-ie10 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html lang="en-US" class="no_js ie ie-8 lt-ie10 lt-ie9 gt-ie7"> <![endif]-->
<!--[if IE 9 ]>        <html lang="en-US" class="no-js ie ie-9 lt-ie10 gt-ie7 gt-ie8 css-bg-3-of-3"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en-US" class="no-js ie gt-ie7 gt-ie8 gt-ie9 modern-browser css-bg-3-of-3"> <!--<![endif]-->
Comment 1 Andrew Sanders 2015-08-21 21:45:13 UTC 
*** Bug 1255573 has been marked as a duplicate of this bug. ***
Comment 6 Remi Collet 2015-12-14 10:23:28 UTC 
Notice: this constants only exists in PHP 5.5 and curl 7.34.0

Thanks to backport in RH curl version (bug #1012136) these are available.
Comment 7 Remi Collet 2015-12-14 12:47:53 UTC 
Notice: a possible workaround is

defined('CURL_SSLVERSION_TLSv1_1') or define('CURL_SSLVERSION_TLSv1_1', 5);
Comment 14 errata-xmlrpc 2016-05-10 21:38:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0842.html