08-30-2017 01:48 PM - edited 08-30-2017 01:51 PM
I've updated one of my test servers (centos 6.5) to use only TLS 1.2, the update process went well but is not connecting to your sandbox server I don't get any kind of error message, I can run the same code in my local machine fine( Apache/2.4.18 (Unix) OpenSSL/1.0.2g PHP/5.5.34 mod_perl/2.0.8-dev Perl/v5.16.3 )
I've attached a screenshot from TLS checker tool from symantec and everything looks good. Do you see anything wrong?
I'm using this endpoint:
08-30-2017 03:44 PM
From the screenshot you've posted, it looks like you're having something analyze what your web server supports for connections made to it. That's probably not at issue here. Since our web server only supports connections made via TLS 1.2, it's the client code that's running on your server (the code that makes the actual connection to us) that has to support TLS 1.2 connections.
What version of OpenSSL, PHP, and curl are installed on that test server?
08-30-2017 04:43 PM
Hi Aaron, thanks for your answer, here some details of my server:
curl 7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 NSS/22.214.171.124 zlib/1.2.3 libidn/1.18 libssh2/1.2.2
08-30-2017 05:01 PM - edited 08-31-2017 08:20 AM
Ah, I see. I'd advise updating to newer versions, because those are all old and there are security holes in all of them. However, since this is CentOS, and they backport security fixes to the old versions they distribute, you should be fine there.
So, the only remaining question is if these versions support TLS 1.2. It appears that they do, but there's a problem with curl 7.19.7 where even though it supports TLS 1.2, you have to explicitly request a TLS 1.2 connection or it won't make one. See here and here.
In whichever part of your code makes the actual curl requests, add a line like this:
curl_setopt ($ch, CURLOPT_SSLVERSION, 6);
That forces TLS 1.2 specifically, so that should be all you need.