Reputation: 15
Remove SCSV Cipher Suite from php curl https request
while making https requests using php-curl in ubuntu server, I have found that it adds an additional Cipher Suite which is identified as "EMPTY-RENEGOTIATION-INFO-SCSV". I know this is a fake Cipher Suite, nevertheless, I want to remove this Cipher Suite from https requests. Is there any curlopt parameter or openssl extension or apache configuration file that I can use to stop this default behavior. Thank You
Upvotes: 0
Views: 753
Answers (1)
Reputation: 58204
This "cipher" is documented in RFC 5746 section 3.3. This is a method that counters the prefix attack described in CVE-2009-3555 and elsewhere.
This SCSV is not a true cipher suite (it does not correspond to any
valid set of algorithms) and cannot be negotiated. Instead, it has
the same semantics as an empty "renegotiation_info" extension, as
described in the following sections. Because SSLv3 and TLS
implementations reliably ignore unknown cipher suites, the SCSV may
be safely sent to any server.
So you don't disable/enable this using the regular cipher suite option curl provides (CURLOPT_SSL_CIPHER_LIST) but instead you need to ask the TLS library to allow unsafe renegotiations.
I don't think PHP allows you to do that and libcurl has no provided option for it, so I believe you have to patch C source code to make it happen.
This is also further described in OpenSSL's documentation for SSL_CTX_set_options().
Upvotes: 1
Related Questions
- Detecting request type in PHP (GET, POST, PUT or DELETE)
- PHP, cURL, and HTTP POST example?
- Converting a Postman request to curl
- Deleting an element from an array in PHP
- How can I see the request headers made by curl when sending a request to the server?
- How to send a header using a HTTP request through a cURL call?
- PHP cURL custom headers
- How do I measure request and response times at once using cURL?
- How to display request headers with command line curl
- PHP cURL SSL Cipher Suite Order