php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78362 cURL doesn't respect CURLOPT_SSLVERSION
Submitted: 2019-08-01 18:05 UTC Modified: 2019-08-01 18:11 UTC
From: mah at jump-ing dot de Assigned:
Status: Not a bug Package: cURL related
PHP Version: 7.3.8 OS: Ubuntu 19.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
33 - 12 = ?
Subscribe to this entry?

 
 [2019-08-01 18:05 UTC] mah at jump-ing dot de
Description:
------------
Trying to connect with an intentionally lower TLS version, set by CURLOPT_SSLVERSION, connects with the highest supported TLS version instead. This makes the CURLOPT_SSLVERSION setting pretty moot.



Test script:
---------------
<?php

echo 'PHP version: ' . phpversion() . PHP_EOL;
echo 'cURL version: ' . curl_version()['version'] . PHP_EOL;

$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

//curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1);
//curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

$data = curl_exec($ch);
curl_close($ch);

$json = json_decode($data);

echo ($data ? $json->tls_version : 'curl request failed') . PHP_EOL;


Expected result:
----------------
This output:

PHP version: 7.3.7-2+ubuntu19.04.1+deb.sury.org+1
cURL version: 7.64.0
TLS 1.1


Actual result:
--------------
This output (last line), no matter what's choosen for CURLOPT_SSLVERSION:

PHP ...
cURL ...
TLS 1.3


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-08-01 18:09 UTC] mah at jump-ing dot de
See also https://stackoverflow.com/questions/57297524/php-curl-enforce-low-tls-version
 [2019-08-01 18:11 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2019-08-01 18:11 UTC] requinix@php.net
Check
  https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
to see what that constant actually means.
 [2019-08-01 18:30 UTC] mah at jump-ing dot de
Thanks. It's a documentation bug then, https://www.php.net/manual/en/function.curl-setopt.php neither mentions this to be the minimum accepted TLS version, nor CURL_SSLVERSION_MAX_xxx at all. I'll file one there.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC