How do I know which SSL version is used by SoapClient in php?

Question

We have an integration with a service via SOAP, we use SoapClient. Due to POODLE ssl3 vulnerability service provider will disable SSLv3 on those servers.

I couldn't find any useful information about which SSL version SoapClient uses in PHP. I also don't understand how do I use specific version of SSL with SoapClient and PHP<5.5 (since version 5.5 there is an option in SoapClient constuctor, ssl_method).

It seems like the only way for PHP 5.3 and SoapClient to specify version of SSL is to use streaming context for ssl. As far as I understand I can specify ciphers list, but this is black-waters to me. How do I know which ciphers to use to be sure client wouldn't want to perform a request via SSLv3?

All in all, should I really be worried? It seems like it's servers responsibility to tell client which SSL version to use, isn't it? And if I didn't specify the exact (3) version in a past, our service provider's SSLv3 shutdown will not affect us?

Answer 1

You are confusing the SSL library with the SSLv3 a cipher. The library PHP is using is the one available when it was built or packaged for your system. You can find out which specific version from php_info() or similar commands.

To disable SSLv3 (a cipher), simply use TLSv1 as the cipher. To do that, pass in the optional options array to the SoapClient constructor:

The ssl_method option is one of SOAP_SSL_METHOD_TLS, SOAP_SSL_METHOD_SSLv2, SOAP_SSL_METHOD_SSLv3 or SOAP_SSL_METHOD_SSLv23.

Here you would use SOAP_SSL_METHOD_TLS.