PHP cURL SSL Cipher Suite Order

Question

Cloudflare uses the cipher suite of ECDHE_ECDSA and AES_128_GCM for their https certificates. When using PHP cURL, you can specify the cipher suite:

curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ecdhe_ecdsa_aes_128_sha');

However, that doesn't help me if the cURL request is requesting something other than ecdhe_ecdsa_aes_128_sha.

The following Apache configuration is set, but PHP cURL does not seem to respect this:

SSLHonorCipherOrder On
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

Is there a way to specify a cipher suite order for PHP cURL?

Environment Info:

[vagrant@devopsgroup ~]$ php -i | grep SSL
SSL => Yes
SSL Version => NSS/3.15.4
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL Header Version => OpenSSL 1.0.1e-fips 11 Feb 2013
Native OpenSSL support => enabled

Answer 1

You can specify the cipher suites you want cURL to use with CURLOPT_SSL_CIPHER_LIST like you suggest above, but if cURL is compiled against OpenSSL, then you need to specify the ciphers in the format used by OpenSSL.

The Apache configuration has no effect on cURL.

Since cURL is built with OpenSSL, try using the cipher names from OpenSSL ciphers .

For example:

curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'ECDHE-RSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA');

This answer is also useful: https://unix.stackexchange.com/questions/208437/how-to-convert-ssl-ciphers-to-curl-format