|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78362 cURL doesn't respect CURLOPT_SSLVERSION
Submitted: 2019-08-01 18:05 UTC Modified: 2019-08-01 18:11 UTC
From: mah at jump-ing dot de Assigned:
Status: Not a bug Package: cURL related
PHP Version: 7.3.8 OS: Ubuntu 19.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: mah at jump-ing dot de
New email:
PHP Version: OS:


 [2019-08-01 18:05 UTC] mah at jump-ing dot de
Trying to connect with an intentionally lower TLS version, set by CURLOPT_SSLVERSION, connects with the highest supported TLS version instead. This makes the CURLOPT_SSLVERSION setting pretty moot.

Test script:

echo 'PHP version: ' . phpversion() . PHP_EOL;
echo 'cURL version: ' . curl_version()['version'] . PHP_EOL;

$ch = curl_init('');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);


$data = curl_exec($ch);

$json = json_decode($data);

echo ($data ? $json->tls_version : 'curl request failed') . PHP_EOL;

Expected result:
This output:

PHP version:
cURL version: 7.64.0
TLS 1.1

Actual result:
This output (last line), no matter what's choosen for CURLOPT_SSLVERSION:

PHP ...
cURL ...
TLS 1.3


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-01 18:09 UTC] mah at jump-ing dot de
See also
 [2019-08-01 18:11 UTC]
-Status: Open +Status: Not a bug
 [2019-08-01 18:11 UTC]
to see what that constant actually means.
 [2019-08-01 18:30 UTC] mah at jump-ing dot de
Thanks. It's a documentation bug then, neither mentions this to be the minimum accepted TLS version, nor CURL_SSLVERSION_MAX_xxx at all. I'll file one there.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed May 12 22:01:23 2021 UTC