Monir Hossain Monir Hossain - 1 year ago 56
PHP Question

Remove SCSV Cipher Suite from php curl https request

while making https requests using php-curl in ubuntu server, I have found that it adds an additional Cipher Suite which is identified as "EMPTY-RENEGOTIATION-INFO-SCSV".
I know this is a fake Cipher Suite, nevertheless, I want to remove this Cipher Suite from https requests.
Is there any curlopt parameter or openssl extension or apache configuration file that I can use to stop this default behavior.
Thank You


This "cipher" is documented in RFC 5746 section 3.3. This is a method that counters the prefix attack described in CVE-2009-3555 and elsewhere.

This SCSV is not a true cipher suite (it does not correspond to any
valid set of algorithms) and cannot be negotiated. Instead, it has
the same semantics as an empty "renegotiation_info" extension, as
described in the following sections. Because SSLv3 and TLS
implementations reliably ignore unknown cipher suites, the SCSV may
be safely sent to any server.

So you don't disable/enable this using the regular cipher suite option curl provides (CURLOPT_SSL_CIPHER_LIST) but instead you need to ask the TLS library to allow unsafe renegotiations.

I don't think PHP allows you to do that and libcurl has no provided option for it, so I believe you have to patch C source code to make it happen.

This is also further described in OpenSSL's documentation for SSL_CTX_set_options().