My DDEV-Local project accesses an external SOAP API on a server on the internet, for example "SOAP-ERROR: Parsing WSDL: Couldn't load from ...". I didn't have any trouble before upgrading to DDEV v1.13. What could the problem be here?
(SOAP is just one example of a client API or curl request over https that may fail. Most https client requests to insecure servers will fail.)
The DDEV-Local v1.13+ web container uses Debian 10 Buster, which has an updated OpenSSL library, which by default disallows TLS v1.0 (which is obsolete, insecure, and is very soon to be disallowed by web browsers). However, of course, there are servers out there that are still using TLS 1.0.
The configuration to allow TLS 1.0 is in the web container in /etc/ssl/openssl.cnf: MinProtocol = TLSv1.2. If you need to change that to TLSv1.0 until the related server is updated, you can do it with a custom Dockerfile in DDEV-Local.
In your project add a .ddev/web-build/Dockerfile like this:
ARG BASE_IMAGE
FROM $BASE_IMAGE
RUN sed -i 's/TLSv1.2/TLSv1.0/g' /etc/ssl/openssl.cnf
Please note that you really do want to get the server updated if you have any control over it at all, because you need to be using a supported TLS version.
Thanks to Andreas Hoffmeyer for the full solution.
I came across a situation where the TLS version was not an issue but I was seeing the curl error curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small when trying to access an old site's content.
For me, it wasn't so much the TLS version that was the issue but the CipherString security level. Reducing CipherString = DEFAULT@SECLEVEL=2 to CipherString = DEFAULT@SECLEVEL=1 resolved the issue:
ARG BASE_IMAGE
FROM $BASE_IMAGE
RUN sed -i 's/DEFAULT@SECLEVEL=2/DEFAULT@SECLEVEL=1/g' /etc/ssl/openssl.cnf
In DDEV 1.15.2, I had a similar issue and needed support for TLS 1.1:
ARG BASE_IMAGE
FROM $BASE_IMAGE
RUN sed -i 's/TLSv1.2/TLSv1.1/g' /etc/ssl/openssl.cnf
