4

I have 2 servers that both run curl 7.29.0 and CentOS 7. However, when I run the following command I get 2 different results:

curl https://tlstest.paypal.com
  1. PayPal_Connection_OK
  2. ERROR! Connection is using TLS version lesser than 1.2. Please use TLS1.2

Why does one server default to a TLSv1.2 connection and the other does not?

(I know I can force it with --tlsv1.2 if I wanted to)

Craig
  • 165
  • 1
  • 1
  • 7
  • 3
    It might be a difference in patchlevel - Just checking the version a program reports is [not sufficient](https://access.redhat.com/security/updates/backporting/?sc_cid=3093) to determine it's patchlevel, check with for instance `rpm -qi curl` for differences in the Release – HBruijn Jun 06 '18 at 10:50
  • 1
    Ok, so I see that the values for release do vary. Would it be safe to assume this is the reason behind the 2 results? – Craig Jun 06 '18 at 10:52
  • That would be a *likely* cause. - `rpm -qa --last | less` will show the most recent packages that were installed and unless you regularly install additional new software, that is a good indication if a system gets security (regular) updates or not – HBruijn Jun 06 '18 at 10:57
  • Thank you @HBruijn, I appreciate your time and assistance. – Craig Jun 06 '18 at 10:58
  • 2
    Specifically, this was addressed in release number 25. So `libcurl-7.29.0-25` onwards will work fine` (more info [here](https://www.getpagespeed.com/web-apps/magento/magento-paypal-libcurl-and-redhat-crazy-together)) – Danila Vershinin May 16 '19 at 15:04

2 Answers2

1

Why does one server default to a TLSv1.2 connection and the other does not?

By default, curl will negotiate with the server, and will use the highest version that both curl and the server support. So if the connection uses different TLS versions, you likely have different versions of curl on the servers. As you write that the version reported by curl is the same, you should also check the version of "libcurl", the shared library that is used by curl - this might also be different.

Most likely one of the servers uses a fairly old version of curl or libcurl - curl has supported TLS 1.3 since 2016 (v7.52, I believe), and TLS 1.2 since 2012 (v7.28).

I have 2 servers that both run curl 7.29.0 and CentOS 7.

Note that curl 7.29 is fairly old (released February 2013), so an upgrade is a good idea anyway.

sleske
  • 10,009
  • 4
  • 34
  • 44
0

The following steps resolved my problem:

  1. Update the following 3 packages:

sudo yum update curl libcurl nss

  1. Restart nginx/apache*

sudo service nginx restart

sudo service hhvm restart

*Replace these with relevant services (e.g. apache, php-fpm, etc...)

Craig
  • 165
  • 1
  • 1
  • 7