强制 PHP-Curl 使用 TLS 1.3

Question

您好，我想使用 Sparkasse Bautzen 的 FineTS HBCI Api，他们向我发送了不再支持的密码列表。

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 

我现在尝试将我的 php7.3 curl 设置为使用 tls1.3 但失败了，我使用的是 openssl 1.1.1d 我使用的是 Z5E056C500A1C4B6A7110B50nemiah/php://github.com/D807

  $this->curlHandle = curl_init();
        curl_setopt($this->curlHandle, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
        curl_setopt($this->curlHandle, CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($this->curlHandle, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($this->curlHandle, CURLOPT_USERAGENT, "FHP-lib");
        curl_setopt($this->curlHandle, CURLOPT_HEADER,  1);    
        curl_setopt($this->curlHandle, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($this->curlHandle, CURLOPT_URL, $this->host);
        curl_setopt($this->curlHandle, CURLOPT_CONNECTTIMEOUT, $this->timeoutConnect);
        curl_setopt($this->curlHandle, CURLOPT_CUSTOMREQUEST, 'POST');
        curl_setopt($this->curlHandle, CURLOPT_ENCODING, '');
        curl_setopt($this->curlHandle, CURLOPT_VERBOSE, '1');
        curl_setopt($this->curlHandle, CURLOPT_TLS13_CIPHERS, 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256');
        curl_setopt($this->curlHandle, CURLOPT_TIMEOUT, $this->timeResponse);
        curl_setopt($this->curlHandle, CURLOPT_HTTPHEADER, array("cache-control: no-cache", 'Content-Type: text/plain'));

我的详细 output：

* Connected to banking-sn5.s-fints-pt-sn.de (62.181.154.164) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: TLSv1
* TLS 1.3 cipher selection: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=DE; ST=Hessen; L=Frankfurt; O=Finanz Informatik GmbH & Co. KG; OU=Finanz Informatik GmbH & Co. KG; CN=banking-sn5.s-fints-pt-sn.de
*  start date: Jan 29 00:00:00 2018 GMT
*  expire date: Apr 29 12:00:00 2020 GMT
*  subjectAltName: host "banking-sn5.s-fints-pt-sn.de" matched cert's "banking-sn5.s-fints-pt-sn.de"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
*  SSL certificate verify ok.
> POST / HTTP/1.1
Host: banking-sn5.s-fints-pt-sn.de
User-Agent: FHP-lib
Accept: */*
Accept-Encoding: deflate, gzip
cache-control: no-cache
Content-Type: text/plain
Content-Length: 540

* upload completely sent off: 540 out of 540 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 403 Forbidden
< Server: BigIP
< Connection: close
< Content-Length: 28
<
* Closing connection 0
HTTP/1.0 403 Forbidden
Server: BigIP
Connection: close
Content-Length: 28

Answer 1

首先：他们向您发送了他们不再支持的密码列表，而不是协议列表。 所以你仍然可以使用 TLSv1.2 作为协议。 基本上他们扔掉了 RSA 密码。

要修复您的探针：

利用：

curl_setopt($this->curlHandle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
// CURL_SSLVERSION_TLSv1_2 means minimum TLS v1.2 but also 1.3 is allowed
// CURL_SSLVERSION_TLSv1_3 would mean minimum TLS v1.3

我还建议删除：

curl_setopt($this->curlHandle, CURLOPT_TLS13_CIPHERS, 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256');
// !!! here you force the Ciphers they forbid, so nothing is left to connect !!!
curl_setopt($this->curlHandle, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
// let openssl decide

我会说，根本不要设置允许的密码列表。

为什么：因为如果您的 OpenSSL 1.1.1d 有一个值得信赖的 OpenSSL 供应商，那么默认值应该很有用。 在这里强制使用特定密码很危险，让 OpenSSL 的人在这里决定。 因此，如果您更新 PHP/OpenSSL，则无需更改代码即可修复问题，尤其是在您不了解 TLS 的详细信息的情况下。

Answer 2

Ive installed https://subsembly.com/buybanking4.html and run Charles to Sniff the Traffic, well now i see the problem is not SSL releated, its the url, correct one is https://banking-sn5.s-fints -pt-sn.de/fints30不仅是https://banking-sn5.s-fints-pt-sn.de我用它取回数据，这个问题就解决了。

感谢@DragonSGA 的提示。