Topic: php-curl specific ciphers for TLSv1.2 (SHA384, CHACHA20-POLY1305)
Hi,
I am using an API in a production environment that needs strict TLS security due to PCI requirements (seems to be stricter than regular TLSv1.2)
They have provided a list of ciphers excluding which no other ciphers will be supported - i.e. connections will be refused:
"ECDHE-ECDSA-AES128-GCM-SHA256"
"ECDHE-RSA-AES128-GCM-SHA256" -- only this one works right now
"ECDHE-ECDSA-AES256-GCM-SHA384"
"ECDHE-RSA-AES256-GCM-SHA384"
"ECDHE-ECDSA-AES256-SHA384"
"ECDHE-RSA-AES256-SHA384"
"ECDHE-ECDSA-CHACHA20-POLY1305"
"ECDHE-RSA-CHACHA20-POLY1305"
"ECDHE-ECDSA-AES128-SHA256"
"ECDHE-RSA-AES128-SHA256"
I want some more (at least 3-4) working as well.
First, here is my detailed server configuration:
------------------------------------------------
I have php70-php* from the Remi Repo for Centos 6 (64-bit)
Some phpinfo() outputs:
----------------
PHP Version 7.0.11
Linux 2.6.32-642.1.1.el6.centos.plus.x86_64 #1 SMP Wed Jun 1 03:11:50 UTC 2016 x86_64
Loaded Configuration File : /etc/opt/remi/php70/php.ini
PHP API : 20151012
PHP Extension : 20151012
Zend Extension : 320151012
Zend Extension Build : API320151012,NTS
PHP Extension Build : API20151012,NTS
Debug Build : no
Registered Stream Socket Transports : tcp, udp, unix, udg, ssl, sslv3, sslv2, tls, tlsv1.0, tlsv1.1, tlsv1.2
curl:
------------
cURL support : enabled
cURL Information : 7.19.7
Age : 3
Features
AsynchDNS : No
CharConv : No
Debug : No
GSS-Negotiate : Yes
IDN : Yes
IPv6 : Yes
krb4 : No
Largefile : Yes
libz : Yes
NTLM : Yes
SPNEGO : No
SSL : Yes
SSPI : No
Host : x86_64-redhat-linux-gnu
SSL Version : NSS/3.27.1
ZLib Version : 1.2.3
libSSH Version : libssh2/1.4.2
----------------
From the command line:
----------------
# curl -V
curl 7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Protocols: tftp ftp telnet dict ldap ldaps ht tp file ht tps ftps scp sftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
# yum list installed | grep curl
curl.x86_64 7.19.7-53.el6_9 @base
libcurl.x86_64 7.19.7-53.el6_9 @base
python-pycurl.x86_64 7.19.0-9.el6 @base
# yum list installed | grep nss
nss.x86_64 3.36.0-8.el6 @base
nss-softokn.x86_64 3.14.3-23.el6_7 @CentOS6-Updates/6.7
nss-softokn-freebl.x86_64 3.14.3-23.el6_7 @CentOS6-Updates/6.7
nss-sysinit.x86_64 3.36.0-8.el6 @base
nss-tools.x86_64 3.36.0-8.el6 @base
nss-util.x86_64 3.36.0-1.el6 @base
openssh.x86_64 5.3p1-118.1.el6_8 @updates
openssh-clients.x86_64 5.3p1-118.1.el6_8 @updates
openssh-server.x86_64 5.3p1-118.1.el6_8 @updates
openssl.x86_64 1.0.1e-57.el6 @base
openssl-devel.x86_64 1.0.1e-57.el6 @base
----------------
Problem:
------------------------------------------------
From what I have figured out after a lot of googling is that:
- On Centos, php-curl uses NSS not openssl.
- In remirepo, php-curl is packaged in php70-php-common or similar.
- The curl version used by php is not necessarily the curl installed in the system available from the command line (I am not sure of this)
- The NSS used by php-curl is not the NSS installed in the system, but one built-in with php-curl
As you can see, NSS is 3.36.0-*.el6, while the NSS shown in phpinfo() output for curl is NSS/3.27.1
My php-curl+nss combination only supplies one cipher in the above list: ECDHE-RSA-AES128-GCM-SHA256
I tested this from php code and it worked:
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_rsa_aes_128_gcm_sha_256');
I had to refer to the curl source file nss.c on the curl github repo to get the correct cipher name format to use in the php curl call.
My problem is that the other ciphers do not work. I want to know what to do to get them to work.
It seems I have to upgrade php-curl, because upgrading curl itself using yum did not seem to help.
I tried to hit the API with curl on the command line and I got the error "Unknown cipher in list"
Although the curl version in yum is 7.19.7-53.el6_9, it seems that CentOS team does a lot of backporting to ensure that TLSv1.2 is available in CentOS 6 as mentioned here:
https://serverfault.com/questions/80026 … 270#800270
I also want to know whether php-curl uses the libcurl in the system (installed using yum) or whether it is built-in.
It seems to be built-in but I am not sure.
If it uses the system libcurl, maybe I can get the ciphers to work by installing curl+nss of higher version from somewhere?
From another topic (3659) on this forum as well as many other places, it seems building curl from source is not advised.
This means the only option I have left is to upgrade php from php70 to php71 or php72 to whichever version I find supports the ECDHE ciphers mentioned above, hoping that the NSS built-in with php-curl will support those (eg. *-SHA384-*, *-CHACHA20-POLY1305-*)
I considered upgrading Centos itself from 6.8/9 to 7.x latest, but since the php7*-common package has its own curl+nss combination, independent of the system curl and system NSS, I don't know which version might have these ciphers (eg. *-SHA384-*, *-CHACHA20-POLY1305-*)
Maybe someone can point me to a place where I can get a list of the ciphers that php-curl provides, listed by version?
Of course the last resort will be to try all combinations:
php70 + Centos 6 - this is not working
php71 + Centos 6
php72 + Centos 6
php70 + Centos 7
php71 + Centos 7
php72 + Centos 7
I would prefer not upgrade to Centos 7 because that means recreating our entire production environment from scratch.
Many thanks in advance for any help you can offer.