It is simple and easy.
$client = new Client(); $guzzle = new GuzzleClient('https://www.yourweb.com', array( 'curl.options' => array( CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_2 ) )); $client->setClient($guzzle); ...
In Guzzle 3.0+ (update as per @limos comment):
'curl' => array( CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1_2 )
Possible CURLOPT_SSLVERSION parameters can be found on the official cURL page: http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
--- UPDATE (based on comments) ---
Choosing the right SSL protocol version includes not only the CURLOPT_SSLVERSION setting, but also a lot of cURL settings. The desired and important result is called "Maximum Direct Secrecy." This is true not only for cURL!
You cannot use several CURLOPT_SSLVERSION parameters (at least I did not find such an option in the Guzzle documentation). When you define CURLOPT_SSLVERSION, cURL will try to use this version of SSL - from the cURL documentation (link above about CURLOPT_SSLVERSION) - "Pass a long parameter to control which version of SSL / TLS you try to use."
You can define several secure ciphers, but only one SSL version parameter. I would not use anything earlier than TLS 1.1. Any earlier version of SSL is vulnerable to attack. TLS 1.1 is also vulnerable, but then you may run into compatibility issues with clients in 1.2 if you go along this route. The only safe (until, until they discover some vulnerability) is TLS 1.2.
If the security priority is priority, upgrade to the most affordable version of TLS (TLS1.2). Customer compatibility is not your issue when there is responsibility for the security of the service provider.
If security is important, here are other cURL options:
Setting the correct CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER will prevent MITM attacks.
CURLOPT_CAINFO - Bug fixed: 35 - Unknown SSL protocol error in connections. Improve maximum privacy before sending.
Here is a list with cURL ciphers (CURLOPT_SSL_CIPHER_LIST), which will improve maximum forward secrecy:
'DHE-RSA-AES256-SHA', 'DHE-DSS-AES256-SHA', 'AES256-SHA', 'ADH-AES256-SHA', 'KRB5-DES-CBC3-SHA', 'EDH-RSA-DES-CBC3-SHA', 'EDH-DSS-DES-CBC3-SHA', 'DHE-RSA-AES128-SHA', 'DHE-DSS-AES128-SHA', 'ADH-AES128-SHA', 'AES128-SHA', 'KRB5-DES-CBC-SHA', 'EDH-RSA-DES-CBC-SHA', 'EDH-DSS-DES-CBC-SHA:DES-CBC-SHA', 'EXP-KRB5-DES-CBC-SHA', 'EXP-EDH-RSA-DES-CBC-SHA', 'EXP-EDH-DSS-DES-CBC-SHA', 'EXP-DES-CBC-SHA'
These ciphers were tested against the strong list of Qualys SSL Labs (2014) and weak ciphers were removed. Feel free to add / remove any ciphers.
If you still want to use several CURLOPT_SSLVERSION parameters, I would write a script to do this (which, I don't think this is good practice or necessary). But still, if you decide to use this functionality for any reason, write some code that will try to use the maximum possible SSL encryption, and then return to the next version if it cannot connect.
- Before deciding, read the security information at nofollow "> projects in Qualys SSL Labs.
- Take a look at this SSL Labs article on secrecy and best practices.
- Check your client (web browser) for vulnerabilities using the SSL Labs web tool . This will give you an idea of ββwhat to see and what to improve and protect on your server and application.
- Test your website / web service using the SSL Labs Qualys SSL tool .
Vulnerabilities and attacks: Longjam, FREAK, POODLE, you name it! Who knows what other attacks or vulnerabilities were not detected? Yes! All of them influence the choice of SSL / TLS connection.
You do not have control over the client (if you have not developed it), but you control negotiations with the server and the server.
No matter which application you create, you should look at best practices, depending on your needs, and in each case, you must decide the following options:
- Security
- Compatibility
- maintainability
- Complexity
If security is important, go with TLS1.1 at a minimum. Look also at the lists of ciphers, I would not forget this part.
The OWASP guide to creating a safe layer around your application is also nice here.
OWASP and Qualys SSL Labs are great resources to get started. I would even do some research on cURL and OpenSSL to familiarize yourself with the weaknesses, possible security options, and best practices.
There are security points that I donβt mention and are missing, but we cannot cover everything. This is just the tip of the iceberg. Everything that is not mentioned here is for research.
Good luck
I will be there to answer any questions if I can.