如何在PHP CURL中使用ECDHE密码？

Question

I used nmap to scan, this is the result:

Looks like they only support ECDHE, from output of openssl_get_cipher_methods() , there is no ECDHE cipher! So my question is how can I connect to the remote server using PHP CURL client?

This is my sample PHP code which is returned false with the message:

"Unknown cipher in list: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA", curl error number code is 59 (Couldn't use specified cipher.)

$ch = curl_init(); 
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA"); 
curl_setopt($ch, CURLOPT_SSLVERSION, 6); 
curl_setopt($ch, CURLOPT_URL, "xxxxxxxxxxxxxxx"); 
var_dump(curl_exec($ch)); 
var_dump(curl_error($ch)); 
var_dump(curl_errno($ch));

I'm using PHP 5.3.29, openssl 1.0.1e-fips 11 Feb 2013

Answer 1

The format of 'CURLOPT_SSL_CIPHER_LIST' depends on the library your cURL is linked against. If you are running on a RedHat-derived Linux, it is NSS rather than GNUTLS (Ubuntu) or OpenSSL, so you will need to convert the names accordingly.

The following question should help you:

https://unix.stackexchange.com/questions/208437/how-to-convert-ssl-ciphers-to-curl-format

Answer 2

I found the root cause, I'm running CentOS with NSS package 3.19. By default, this version doesn't enable ECC ciphers (ECDHE is one of ECC ciphers), Its fixed after upgrade to NSS 3.21+.

https://bugzilla.mozilla.org/show_bug.cgi?id=1205688
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
https://tools.ietf.org/html/rfc4492