Bug 1255920 - No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: php (Show other bugs)
6.7
All Linux
medium Severity medium
: rc
: ---
Assigned To: Web Stack Team
Petr Šplíchal
Lenka Spackova
: EasyFix, Patch, Reproducer
: 1255573 (view as bug list)
Depends On: 1012136
Blocks: 1172231 1253743 1254457 1269913 1291667 1310222
  Show dependency treegraph
 
Reported: 2015-08-21 17:44 EDT by Andrew Sanders
Modified: 2016-06-28 08:19 EDT (History)
11 users (show)

See Also:
Fixed In Version: php-5.3.3-47.el6
Doc Type: Release Note
Doc Text:
PHP *cURL* module now supports TLS 1.1 and TLS 1.2 Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the *curl* library, has been added to the PHP *cURL* extension.
Story Points: ---
Clone Of:
: 1291667 (view as bug list)
Environment:
Last Closed: 2016-05-10 17:38:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrew Sanders 2015-08-21 17:44:55 EDT
Description of problem:
TLS1.1 and TLS1.2 were included with the release of RHEL6.7.  However, it does not seem that php's curl module can use the new TLS features.

Version-Release number of selected component (if applicable):
curl-7.19.7-46.el6.x86_64 & php-cli-5.3.3-46.el6_6.x86_64

How reproducible:
Every single time.


Steps to Reproduce:
1. Confirm curl version:
# rpm -q curl
curl-7.19.7-46.el6.x86_64


2. Confirm php version:

# rpm -q php-cli
php-cli-5.3.3-46.el6_6.x86_64


3. Prepare test script:

# cat test.php
<?php
 $ch = curl_init();
 if ($ch) {
   if ( !curl_setopt($ch, CURLOPT_URL, "https://www.<redacted>.com")
) return "FAIL1";
   if ( !curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1) )
return "FAIL2";
   if ( !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true) ) return "FAIL3";
   if ( !curl_exec($ch) ) return "FAIL4";
   curl_close($ch);
 }
?>


4. Execute test.php:

# php test.php
PHP Notice:  Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' in /root/php-curl/test.php on line 6

# curl -I https://www.<redacted>.com
curl: (35) SSL connect error


5. Confirm requirement for TLS:

# curl -I --tlsv1.1 https://www.<redacted>.com
HTTP/1.1 302 Found
Date: Fri, 14 Aug 2015 13:51:17 GMT
Server: Apache
Location: https://www.<redacted>.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8



Actual results:
An SSL connect error is encountered.



Expected results:
The web page should be fetched without any SSL errors.



Additional info:

The customer that identified this issue has requested this bug remain public.  Also, they have identified that applying the patch from https://github.com/php/php-src/blob/6c0feb0665f3488ffdc2ab33e9e1b8d3a1af93ae/ext/curl/interface.c#L1215-L1217 appears to demonstrate that php 5.3.3 can handle the TLS options.  Below is the patch:

$ cat SOURCES/php-curl.patch
--- php-5.3.3/ext/curl/interface.c      2010-04-22 08:58:07.000000000 +0000
+++ php-5.3.3/ext/curl/interface.c.patch        2015-08-13 21:40:08.678000000 +0000
@@ -463,6 +463,9 @@
           of options and which version they were introduced */

        /* Constants for curl_setopt() */
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1);
+        REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2);
 #if LIBCURL_VERSION_NUM > 0x070a07 /* CURLOPT_IPRESOLVE is available since curl 7.10.8 */
        REGISTER_CURL_CONSTANT(CURLOPT_IPRESOLVE);
        REGISTER_CURL_CONSTANT(CURL_IPRESOLVE_WHATEVER);

Here is partial output of a successful run from the same server following a rebuild of the RPM with inclusion of the patch:

# php test.php |head

<!DOCTYPE html>

<!-- GROUP CONDITIONAL CLASSES FOR IE - classes taken from http://<redacted2>.com/ on 2013-10-25, with additonal classes added
    ________________________________________________________________________________ -->
<!--[if lt IE 7]>      <html lang="en-US" class="no-js ie lt-ie10 lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html lang="en-US" class="no_js ie ie-7 lt-ie10 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html lang="en-US" class="no_js ie ie-8 lt-ie10 lt-ie9 gt-ie7"> <![endif]-->
<!--[if IE 9 ]>        <html lang="en-US" class="no-js ie ie-9 lt-ie10 gt-ie7 gt-ie8 css-bg-3-of-3"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en-US" class="no-js ie gt-ie7 gt-ie8 gt-ie9 modern-browser css-bg-3-of-3"> <!--<![endif]-->
Comment 1 Andrew Sanders 2015-08-21 17:45:13 EDT
*** Bug 1255573 has been marked as a duplicate of this bug. ***
Comment 6 Remi Collet 2015-12-14 05:23:28 EST
Notice: this constants only exists in PHP 5.5 and curl 7.34.0

Thanks to backport in RH curl version (bug #1012136) these are available.
Comment 7 Remi Collet 2015-12-14 07:47:53 EST
Notice: a possible workaround is

defined('CURL_SSLVERSION_TLSv1_1') or define('CURL_SSLVERSION_TLSv1_1', 5);
Comment 14 errata-xmlrpc 2016-05-10 17:38:23 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0842.html

Note You need to log in before you can comment on or make changes to this bug.