从php curl的https请求里删除SCSV密码组件

问

while making https requests using php-curl in ubuntu server, I have found that it adds an additional Cipher Suite which is identified as "EMPTY-RENEGOTIATION-INFO-SCSV". I know this is a fake Cipher Suite, nevertheless, I want to remove this Cipher Suite from https requests. Is there any curlopt parameter or openssl extension or apache configuration file that I can use to stop this default behavior. Thank You。当用ubuntu服务器下的php-curl构造一个https请求里，我发现它添加了一个额外的密码组件 "EMPTY-RENEGOTIATION-INFO-SCSV"。我知道它是个假的密码组件，然而，我想从https请求里删除这个密码组件。有没有curlopt参数或openssl扩展或apache配置文件来用于停止这个默认的行为。

答

This "cipher" is documented in RFC 5746 section 3.3. This is a method that counters the prefix attack described in CVE-2009-3555 and elsewhere.这个方法计数前缀攻击，在CVE-2009-3555或别处有描述：

This SCSV is not a true cipher suite (it does not correspond to any valid set of algorithms) and cannot be negotiated. Instead, it has the same semantics as an empty "renegotiation_info" extension, as described in the following sections. Because SSLv3 and TLS implementations reliably ignore unknown cipher suites, the SCSV may be safely sent to any server. SCSV不是一个真的密码组件（它和有效的算法集中的任一个都不对应），且也不能协商 。相反，它和空的“renegotiation_info”扩展有同样的语法，在随后的章节里会有描述。因为SSLv3和TLS实现了可靠的忽略未知密码组件，SCSV能安全地发送到任何服务器上。

So you don't disable/enable this using the regular cipher suite option curl provides (CURLOPT_SSL_CIPHER_LIST) but instead you need to ask the TLS library to allow unsafe renegotiations.所以你不需要使用常规的密码组件选项来禁止/使能这个，curl提供的选项有CURLOPT_SSL_CIPHER_LIST，但相反地，你需要请求TLS加允许不安全的协商。

I don't think PHP allows you to do that and libcurl has no provided option for it, so I believe you have to patch C source code to make it happen.我不认为PHP允许你这样做，licurl也没提供选项，所以我相信你必须看看C源代码来实现它。

This is also further described 关于 SSL_CTX_set_options的更多的描述在in OpenSSL's documentation for SSL_CTX_set_options().