PHP Curl (with NSS) is probably using SSLv3 instead of TLS when connecting to https

That's an interesting problem.

If you query SSLLabs for this site you will see, that it only supports various ECDHE-ECDSA-* ciphers and no other ciphers. But, in the version history of curl you will find a bug with ECC ciphers and the NSS library (which you use) which is only fixed in curl version 7.36 "nss: allow to use ECC ciphers if NSS implements them".

Since you are using curl 7.19.7 your curl is too old to use the necessary ciphers together with the NSS library. This means you need to upgrade your curl library.


I have Curl 7.21.7 and PHP 5.4.34, and this seemed to do the trick for me:

curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

More info here, although it doesn't say when CURL_SSLVERSION_TLSv1 was introduced.


The answer for me was to use an integer value instead of a string.. i.e.: Change:

curl_setopt($ch, CURLOPT_SSLVERSION_TLSv1_2);

To:

curl_setopt($ch, CURLOPT_SSLVERSION, 6);

Or for tlsv1_1:

curl_setopt($ch, CURLOPT_SSLVERSION, 5);

Here's the full list:

CURL_SSLVERSION_DEFAULT (0)
CURL_SSLVERSION_TLSv1 (1)
CURL_SSLVERSION_SSLv2 (2)
CURL_SSLVERSION_SSLv3 (3)
CURL_SSLVERSION_TLSv1_0 (4)
CURL_SSLVERSION_TLSv1_1 (5)
CURL_SSLVERSION_TLSv1_2 (6)

I'm running the following by the way:

curl-7.19.7-46.el6.x86_64
nss-3.21.0-0.3.el6_7.x86_64

Tags:

Php

Ssl

Https

Curl

Nss