精通
英语
和
开源
,
擅长
开发
与
培训
,
胸怀四海
第一信赖
while making https requests using php-curl in ubuntu server, I have found that it adds an additional Cipher Suite which is identified as "EMPTY-RENEGOTIATION-INFO-SCSV". I know this is a fake Cipher Suite, nevertheless, I want to remove this Cipher Suite from https requests. Is there any curlopt parameter or openssl extension or apache configuration file that I can use to stop this default behavior. Thank You。当用ubuntu服务器下的php-curl构造一个https请求里,我发现它添加了一个额外的密码组件 "EMPTY-RENEGOTIATION-INFO-SCSV"。我知道它是个假的密码组件,然而,我想从https请求里删除这个密码组件。有没有curlopt参数或openssl扩展或apache配置文件来用于停止这个默认的行为。
This "cipher" is documented in RFC 5746 section 3.3. This is a method that counters the prefix attack described in CVE-2009-3555 and elsewhere.这个方法计数前缀攻击,在CVE-2009-3555或别处有描述:
This SCSV is not a true cipher suite (it does not correspond to any valid set of algorithms) and cannot be negotiated. Instead, it has the same semantics as an empty "renegotiation_info" extension, as described in the following sections. Because SSLv3 and TLS implementations reliably ignore unknown cipher suites, the SCSV may be safely sent to any server. SCSV不是一个真的密码组件(它和有效的算法集中的任一个都不对应),且也不能协商 。相反,它和空的“renegotiation_info”扩展有同样的语法,在随后的章节里会有描述。因为SSLv3和TLS实现了可靠的忽略未知密码组件,SCSV能安全地发送到任何服务器上。
So you don't disable/enable this using the regular cipher suite option curl provides (CURLOPT_SSL_CIPHER_LIST) but instead you need to ask the TLS library to allow unsafe renegotiations.所以你不需要使用常规的密码组件选项来禁止/使能这个,curl提供的选项有CURLOPT_SSL_CIPHER_LIST,但相反地,你需要请求TLS加允许不安全的协商。
I don't think PHP allows you to do that and libcurl has no provided option for it, so I believe you have to patch C source code to make it happen.我不认为PHP允许你这样做,licurl也没提供选项,所以我相信你必须看看C源代码来实现它。
This is also further described 关于 SSL_CTX_set_options的更多的描述在in OpenSSL's documentation for SSL_CTX_set_options().