Bug 1255920 - No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Summary: No TLS1.1 or TLS1.2 support for RHEL6.7's php curl module
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: php
Version: 6.7
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Web Stack Team
QA Contact: Petr Šplíchal
Lenka Špačková
: 1255573 (view as bug list)
Depends On: 1012136
Blocks: 1172231 1253743 1254457 1269913 1291667 1310222
TreeView+ depends on / blocked
Reported: 2015-08-21 21:44 UTC by Andrew Sanders
Modified: 2019-10-10 10:06 UTC (History)
11 users (show)

Fixed In Version: php-5.3.3-47.el6
Doc Type: Release Note
Doc Text:
PHP *cURL* module now supports TLS 1.1 and TLS 1.2 Support for the TLS protocol version 1.1 and 1.2, which was previously made available in the *curl* library, has been added to the PHP *cURL* extension.
Clone Of:
: 1291667 (view as bug list)
Last Closed: 2016-05-10 21:38:23 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:0842 normal SHIPPED_LIVE php bug fix update 2016-05-10 22:42:34 UTC

Description Andrew Sanders 2015-08-21 21:44:55 UTC
Description of problem:
TLS1.1 and TLS1.2 were included with the release of RHEL6.7.  However, it does not seem that php's curl module can use the new TLS features.

Version-Release number of selected component (if applicable):
curl-7.19.7-46.el6.x86_64 & php-cli-5.3.3-46.el6_6.x86_64

How reproducible:
Every single time.

Steps to Reproduce:
1. Confirm curl version:
# rpm -q curl

2. Confirm php version:

# rpm -q php-cli

3. Prepare test script:

# cat test.php
 $ch = curl_init();
 if ($ch) {
   if ( !curl_setopt($ch, CURLOPT_URL, "https://www.<redacted>.com")
) return "FAIL1";
   if ( !curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1) )
return "FAIL2";
   if ( !curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true) ) return "FAIL3";
   if ( !curl_exec($ch) ) return "FAIL4";

4. Execute test.php:

# php test.php
PHP Notice:  Use of undefined constant CURL_SSLVERSION_TLSv1_1 - assumed 'CURL_SSLVERSION_TLSv1_1' in /root/php-curl/test.php on line 6

# curl -I https://www.<redacted>.com
curl: (35) SSL connect error

5. Confirm requirement for TLS:

# curl -I --tlsv1.1 https://www.<redacted>.com
HTTP/1.1 302 Found
Date: Fri, 14 Aug 2015 13:51:17 GMT
Server: Apache
Location: https://www.<redacted>.com
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8

Actual results:
An SSL connect error is encountered.

Expected results:
The web page should be fetched without any SSL errors.

Additional info:

The customer that identified this issue has requested this bug remain public.  Also, they have identified that applying the patch from https://github.com/php/php-src/blob/6c0feb0665f3488ffdc2ab33e9e1b8d3a1af93ae/ext/curl/interface.c#L1215-L1217 appears to demonstrate that php 5.3.3 can handle the TLS options.  Below is the patch:

$ cat SOURCES/php-curl.patch
--- php-5.3.3/ext/curl/interface.c      2010-04-22 08:58:07.000000000 +0000
+++ php-5.3.3/ext/curl/interface.c.patch        2015-08-13 21:40:08.678000000 +0000
@@ -463,6 +463,9 @@
           of options and which version they were introduced */

        /* Constants for curl_setopt() */
 #if LIBCURL_VERSION_NUM > 0x070a07 /* CURLOPT_IPRESOLVE is available since curl 7.10.8 */

Here is partial output of a successful run from the same server following a rebuild of the RPM with inclusion of the patch:

# php test.php |head

<!DOCTYPE html>

<!-- GROUP CONDITIONAL CLASSES FOR IE - classes taken from http://<redacted2>.com/ on 2013-10-25, with additonal classes added
    ________________________________________________________________________________ -->
<!--[if lt IE 7]>      <html lang="en-US" class="no-js ie lt-ie10 lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]>         <html lang="en-US" class="no_js ie ie-7 lt-ie10 lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]>         <html lang="en-US" class="no_js ie ie-8 lt-ie10 lt-ie9 gt-ie7"> <![endif]-->
<!--[if IE 9 ]>        <html lang="en-US" class="no-js ie ie-9 lt-ie10 gt-ie7 gt-ie8 css-bg-3-of-3"><![endif]-->
<!--[if (gt IE 9)|!(IE)]><!--><html lang="en-US" class="no-js ie gt-ie7 gt-ie8 gt-ie9 modern-browser css-bg-3-of-3"> <!--<![endif]-->

Comment 1 Andrew Sanders 2015-08-21 21:45:13 UTC
*** Bug 1255573 has been marked as a duplicate of this bug. ***

Comment 6 Remi Collet 2015-12-14 10:23:28 UTC
Notice: this constants only exists in PHP 5.5 and curl 7.34.0

Thanks to backport in RH curl version (bug #1012136) these are available.

Comment 7 Remi Collet 2015-12-14 12:47:53 UTC
Notice: a possible workaround is

defined('CURL_SSLVERSION_TLSv1_1') or define('CURL_SSLVERSION_TLSv1_1', 5);

Comment 14 errata-xmlrpc 2016-05-10 21:38:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.