PHP CURL - cURL error 35: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type

Question

I want to make a curl request in PHP 7.3.90

curl -V
curl 7.64.0 (x86_64-pc-linux-gnu) libcurl/7.64.0 OpenSSL/1.1.1d zlib/1.2.11 libidn2/2.0.5 libpsl/0.20.2 (+libidn2/2.0.5) libssh2/1.8.0 nghttp2/1.36.0 librtmp/2.3
Release-Date: 2019-02-06
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets HTTPS-proxy PSL 

    $ch = curl_init();
    // 2. set the options, including the url
    curl_setopt($ch, CURLOPT_URL, "https://mydomain/get-token");
    curl_setopt($ch, CURLOPT_HTTPHEADER, array("App-Key: YOUR-KEY-HERE"));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,0);

and the answer is

"cURL error 35: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)"

I had the same problem with curl command and i solved it with

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

instead of

[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2

https://github.com/curl/curl/issues/4097 and OpenSSL v1.1.1 ssl_choose_client_version unsupported protocol

Which curl option i have to use to solve this error?

Thanks

Answer 1

I know this questions is quite old but i ran into the same issue when working with some old cough hermes caugh api.

I also did not wanted to set seclevel to 1 for the whole system. What you are looking for is the following:

 curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT@SECLEVEL=1');

just put that piece of code into your application and you should be fine for this one request. Of course this is not the safest way, but when the Api does not set up properly you do not have a choice.

Answer 2

I just had this issue after upgrading from OpenSSL 1.1.0 to 1.1.1 on Debian.

I found the solution here https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900984

Replace SECLEVEL 2 with SECLEVEL 1 in /etc/ssl/openssl.cnf as SECLEVEL 2 prevents SHA1 encryption, which was necessary for Moneris in my case, which only seems to support the deprecated SHA1 signatures.

Answer 3

After an upgrade on Ubuntu 20 , I get the same problem.

The solution was to upgrade to openssl-1.1.1 g . By default Ubuntu 20 use the openssl-1.1.1 f that don't work well.

link to an installation solution for this still unpackaged version of openssl.

Answer 4

Simply setting DEFAULT@SECLEVEL to 1 didn't work because I needed to fix that issue on Ubuntu 20.04.3 LTS using OpenSSL 1.1.1f 31 Mar 2020 . The solution I found at https://askubuntu.com/a/1233456/306766 worked for me.

You need to add this to the beginning of your config file ( /etc/ssl/openssl.cnf ):

 openssl_conf = default_conf

And then this to the end:

 [ default_conf ] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT:@SECLEVEL=1

Answer 5

After install Ubuntu 22.04, this issue happened to me and with Replace SECLEVEL 2 with SECLEVEL 0 in

• /etc/ssl/openssl.cnf

has been fixed. Zero is important.