PHP and OpenSSL / cURL / TLS 1.2 setup
 
To verify cURL setup in PHP:
$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);
$json = json_decode($data);
echo $json->tls_version;

This should return the TLS version used, e.g. 1.2. If less than 1.2, the setup is old and not compliant to actual security protocols.
If nothing is returned, start debugging curl in Terminal:
/usr/local/curl-7.62.0/bin/curl -v https://www.howsmyssl.com/a/check
This could return some error like this:
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

To fix this problem, export all root CA's from Keychain to file:
Applications-> Keychain -> System-Roots -> Select all -> Export -> Copy to /etc/ssl/cert.pem
And configure curl to use these CA's:
./configure --prefix=/usr/local/curl-7.62.0 --with-ssl=/usr/local/openssl-1.1.1 --with-ca-bundle=/etc/ssl/cert.pem

If cURL works in command line but returns nothing in PHP, make sure that curl_exec is not blocked by php.ini (disabled functions)

To print cURL version (and SSL version used by cURL) use this function in PHP:
print_r(curl_version());


To test openSSL/TLS 1.2, issue in Terminal:
/usr/local/Cellar/openssl/1.0.2p/bin/openssl s_client -connect google.com:443 -tls1_2


If a certificate chain is displayed, your OpenSSL version can connect by TLS 1.2.

The following PHP command shows the ssl version used:
print_r(curl_version());


In the case of [ssl_version] => SecureTransport (eg. for Mac OS X), curl might not work as expected. It can help to install curl like this:
./configure --prefix=/usr/local/curl-x.x.x --with-ssl=/usr/local/Cellar/openssl/x.x.x

This will install curl with OpenSSL support and should fix unexpected errors, and result in [ssl_version] => OpenSSL/x.x.x
(with x.x.x being an actual version number)



If you encounter an IPv6 issue, this could look like the following:
curl -v https://host:port

*  Trying xxxx:xxx:x:xx::x...
* TCP_NODELAY set
* Connected to host (xxxx:xxx:x:xx::x) port xxx (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /usr/local/ssl/certs/cacert.pem
 CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to host:port
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to host:port


Try if forcing IPv4 can fix the problem:
curl -v https://epp.nic.ch:700 --ipv4


 
admin / Dec 07, 2018
   
 
 
Login: 
Pass: 
 
 
     
     
2004 - 2019 / lookass.ch
makememad@lookass.ch