Red Hat Bugzilla – Bug 1255920
No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Last modified: 2016-06-28 08:19:28 EDT
Description of problem: TLS1.1 and TLS1.2 were included with the release of RHEL6.7. However, it does not seem that php's curl module can use the new TLS features. Version-Release number of selected component (if applicable): curl-7.19.7-46.el6.x86_64 & php-cli-5.3.3-46.el6_6.x86_64 How reproducible: Every single time. Steps to Reproduce: 1. Confirm curl version: # rpm -q curl curl-7.19.7-46.el6.x86_64 2. Confirm php version: # rpm -q php-cli php-cli-5.3.3-46.el6_6.x86_64 3. Prepare test script: # cat test.php <?php $ch = curl_init(); if ($ch) { if ( !curl_setopt($ch, CURLOPT_URL, "https://www.<redacted>.com") ) return "FAIL1"; if ( !curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1) ) return "FAIL2"; if ( !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true) ) return "FAIL3"; if ( !curl_exec($ch) ) return "FAIL4"; curl_close($ch); } ?> 4. Execute test.php: # php test.php PHP Notice: Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' in /root/php-curl/test.php on line 6 # curl -I https://www.<redacted>.com curl: (35) SSL connect error 5. Confirm requirement for TLS: # curl -I --tlsv1.1 https://www.<redacted>.com HTTP/1.1 302 Found Date: Fri, 14 Aug 2015 13:51:17 GMT Server: Apache Location: https://www.<redacted>.com Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Actual results: An SSL connect error is encountered. Expected results: The web page should be fetched without any SSL errors. Additional info: The customer that identified this issue has requested this bug remain public. Also, they have identified that applying the patch from https://github.com/php/php-src/blob/6c0feb0665f3488ffdc2ab33e9e1b8d3a1af93ae/ext/curl/interface.c#L1215-L1217 appears to demonstrate that php 5.3.3 can handle the TLS options. Below is the patch: $ cat SOURCES/php-curl.patch --- php-5.3.3/ext/curl/interface.c 2010-04-22 08:58:07.000000000 +0000 +++ php-5.3.3/ext/curl/interface.c.patch 2015-08-13 21:40:08.678000000 +0000 @@ -463,6 +463,9 @@ of options and which version they were introduced */ /* Constants for curl_setopt() */ + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2); #if LIBCURL_VERSION_NUM > 0x070a07 /* CURLOPT_IPRESOLVE is available since curl 7.10.8 */ REGISTER_CURL_CONSTANT(CURLOPT_IPRESOLVE); REGISTER_CURL_CONSTANT(CURL_IPRESOLVE_WHATEVER); Here is partial output of a successful run from the same server following a rebuild of the RPM with inclusion of the patch: # php test.php |head <!DOCTYPE html> <!-- GROUP CONDITIONAL CLASSES FOR IE - classes taken from http://<redacted2>.com/ on 2013-10-25, with additonal classes added ________________________________________________________________________________ --> <!--[if lt IE 7]> <html lang="en-US" class="no-js ie lt-ie10 lt-ie9 lt-ie8 lt-ie7"> <![endif]--> <!--[if IE 7]> <html lang="en-US" class="no_js ie ie-7 lt-ie10 lt-ie9 lt-ie8"> <![endif]--> <!--[if IE 8]> <html lang="en-US" class="no_js ie ie-8 lt-ie10 lt-ie9 gt-ie7"> <![endif]--> <!--[if IE 9 ]> <html lang="en-US" class="no-js ie ie-9 lt-ie10 gt-ie7 gt-ie8 css-bg-3-of-3"><![endif]--> <!--[if (gt IE 9)|!(IE)]><!--><html lang="en-US" class="no-js ie gt-ie7 gt-ie8 gt-ie9 modern-browser css-bg-3-of-3"> <!--<![endif]-->
*** Bug 1255573 has been marked as a duplicate of this bug. ***
Notice: this constants only exists in PHP 5.5 and curl 7.34.0 Thanks to backport in RH curl version (bug #1012136) these are available.
Notice: a possible workaround is defined('CURL_SSLVERSION_TLSv1_1') or define('CURL_SSLVERSION_TLSv1_1', 5);
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0842.html