[#10] Add CURLOPT_SSLVERSION #11
Conversation
|
What is the default for this value? I am hesitant about hardcoding a version as you would then have to update this when the world moves on. Usually this is negotiated between the client and the server to use the highest common version. What is the motivation for this change? To force some older platforms to use the minimum required version? Could it be achieved in a more "at least this"-fashion, e.g. without "limiting" to version 1.2? |
|
There is importance for Paylike API. Paylike API revokes this option according to: https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html SSLv2 is disabled by default since 7.18.1. Other SSL versions availability may vary depending on which backend libcurl has been built to use. |
What do you mean by this? The Paylike API (the http service itself) will not allow insecure connections (and none of the old SSLv* versions), so unless you have a connection issue, you should probably just have your platform negotiate the best version. From the documentation you linked, it seems that |
|
https://github.com/stripe/stripe-php SSL / TLS compatibility issuesStripe's API now requires that all connections use TLS 1.2. Some systems (most notably some older CentOS and RHEL versions) are capable of using TLS 1.2 but will use TLS 1.0 or 1.1 by default. In this case, you'd get an The recommended course of action is to upgrade your cURL and OpenSSL packages so that TLS 1.2 is used by default, but if that is not possible, you might be able to solve the issue by setting the $curl = new \Stripe\HttpClient\CurlClient(array(CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1));
\Stripe\ApiRequestor::setHttpClient($curl); |
|
I think adapting this to allow user defined parameters for curl should be fine, for testing purposes you may not always be able to test with a valid certificate. If the Paylike api does not allow insecure connections for live credentials, then this is not an issue of security. I think the default setting allows for better support in this case, but adding the option of changing the curl arguments may be useful. |
|
Okay, so, the Stripe explanation provides the context (and merits) for setting such an option.
The reason for setting such option is to force some older systems that do not advertise a newer protocol, although they have some capability of it, probably because it has been considered "experimental" or at least not "ready for stable production". It is definitely not something we should add to our code as the "right" solution is almost always to upgrade your system. Stripe API author seems to agree:
I do not want our code to consider non-stable, non-production, experimental or beta software. I would only consider such change if this was affecting a significant number of users for which the act of upgrading was out of their control and the "experimental" TLS 1.2 support was considered safe and secure by trusted sources. If someone wants to do this anyway they must be very aware (of the security implications of running outdated software, if that's the case), and thus skilled in software, so forking the code and adding the setting should be a no-brainer. Thanks @visitek for bringing this up. I learnt something along the way. I hope you understand (and might agree) why this PR is not getting merged. |
|
@ionutcalara, if you had something more generic in mind, or regarding the |
|
I don't fully agree. We have latest RHEL. CentOS 7 and curl doesn't work
properly by default :-/
warm regards,
Ing. Martin Lonský, CEO
MyAppIn, s. r. o.
sent from mobile
…On May 14, 2017 13:54, "Thomas Jensen" ***@***.***> wrote:
@ionutcalara <https://github.com/ionutcalara>, if you had something more
generic in mind, or regarding the CURLOPT_SSL_VERIFYPEER option, and
there's a use case for it, it can be considered in a new PR.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABqUD3oLztYHRZE921xKmmnmypPLko1Nks5r5utrgaJpZM4NZlQO>
.
|
|
Interesting. So you're saying it might actually be a problem to a significant number of users that cannot upgrade? This would also mean that the Stripe statement is flawed. I've just tested the following: $ docker run -i -t centos:7
$ yum install -y curl php
$ curl https://api.paylike.io/ping
$ php test.phpWhere Can you provide me with a |
|
I think that possibility to set additional opts are the best solution with
adding possible errors section into readme :-)
warm regards,
Ing. Martin Lonský, CEO
MyAppIn, s. r. o.
sent from mobile
…On May 14, 2017 14:26, "Thomas Jensen" ***@***.***> wrote:
Interesting. So you're saying it might actually be a problem to a
significant number of users that cannot upgrade? This would also mean that
the Stripe statement is flawed.
I've just tested the following:
$ docker run -i -t centos:7
$ yum install -y curl php
$ curl https://api.paylike.io/ping
$ php test.php
Where test.php is a script using this library to do the same. Both work
without fine.
Can you provide me with a Dockerfile or similar instructions on how to
reproduce this? I'm trying to figure out who and how many are affected by
this.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABqUDyfrhQqZyxfz5IONKPwdNXkruC3fks5r5vLqgaJpZM4NZlQO>
.
|
|
Could very well be. There might be a use case for the certificate verification option if you are for instance mocking the Paylike service when unit testing. I'm still interested in discovering why you are seeing this issue on a recent REHL installation. Could you dump the output of |
|
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.21 Basic ECC
zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Linux [hidden] 3.10.0-229.14.1.el7.x86_64 #1 SMP Tue Sep 15 15:05:51 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux
PHP 7.1.4 (cli) (built: Apr 15 2017 08:07:03) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.1.4, Copyright (c) 1999-2017, by Zend Technologies
Warm regards,
Ing.* Martin Lonský*, CEO
MyAppIn, s. r. o.
[image: www.myappin.com] <http://www.myappin.com/>
tel.: +420 736 645 876 <+420%20736%20645%20876>
www.myappin.com
…--
*ApuTime *— the future of Project Management.
*Emotions* *|* *Visualizations* *|* *Game*
[image: www.aputime.com] <https://www.aputime.com>
www.aputime.com
On Sun, May 14, 2017 at 4:40 PM, Thomas Jensen ***@***.***> wrote:
Could very well be. There might be a use case for the certificate
verification option if you are for instance mocking the Paylike service
when unit testing.
I'm still interested in discovering why you are seeing this issue on a
recent REHL installation. Could you dump the output of uname -a, curl
--version and php --version? Or debug why you are seeing when I'm not in
my docker test?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#11 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABqUD8ritUUALOuqJh2P7CpT2fMhDMaFks5r5xJEgaJpZM4NZlQO>
.
|
|
Okay, so the kernel is older than mine (I'm on 4.9.27) and the PHP version is much newer. Can you guide me to how you upgraded PHP? |
|
simply by |
|
Ah, this is not a package in the official repositories, it's from Webtatic, right? I added their repos and installed We seem to now have identical PHP versions: PHP 7.1.4 (cli) (built: Apr 15 2017 08:07:03) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend TechnologiesI can't really get further from here unless you can provide me some clue. Could you try debugging your setup? E.g. checking the cURL version used from PHP. |
Fix for SSLVERSION. Curl has changed defaults in PHP7