Forum Discussion
We've removed Community support for SSL v3, TLS 1.0, and TLS 1.1. You'll need to make sure you're using TLS 1.2+ when making requests to communities.
Those versions of OpenSSL are pretty old -- TLS 1.2 was only added around OpenSSL 1.0.1 so I believe your stage environment has no chance of working without an upgrade. curl itself may also be out of date, which might impact whether it can use the newer TLS versions.
After upgrading, if you still see issues, you might be able to use the CURLOPT_SSLVERSION curl option in your PHP code to prefer that curl uses TLS 1.2. But if things are working, don't set that override (it will probably eventually be out of date too).
This StackOverflow post might have better specifics for you since the asker is using PHP + curl + OpenSSL: "TLS 1.2 not working in cURL"
Hi Andrew,
Thanks for the clarification.
As I mentioned above our Prod env have PHP Version 5.6.16 & OpenSSL 1.0.1e-fips 11 Feb 2013 and I tried to execute the same script in the prod environment also. but there also I am getting an "SSL handshake" error.
Attaching phpinfo details from our Production environment
May I know why the script is not working in Prod even though it has OpenSSL 1.0.1e-fips 11 Feb 2013?
- AndrewF6 years agoKhoros Oracle
I would suggest using the OpenSSL client directly on the machine to rule out PHP & Curl:
openssl version -a echo | openssl s_client -connect community.hostname.example:443 -servername community.hostname.example
(The "-servername ..." flag is essential because we are rolling out a requirement that SNI is used for all HTTPS requests. Your community may already require SNI.)
If you see this working, the problem may be in your PHP + curl setup, or perhaps curl itself needs an update because there have been fixed bugs around TLS handshakes.
If it fails, the OpenSSL connect output should give you better information to diagnose the issue.
Aside: Even if the old OpenSSL is not the cause, I recommend trying to have a plan to upgrade as it is one of the more important pieces of maintenance -- security is a moving target and your versions have known vulnerabilities (famously, Heartbleed).
- sreejithpm6 years agoAdept
Thanks a lot, Andrew for explaining in detail.