+ Start a Discussion
scott@pogysoft.comscott@pogysoft.com 

SSLv3 Poodle vulnerability & PHP API Access

We are given the impression from email we received that API access will, like other forms of access, be limited to TLS rather than SSLv3.
All fine and reasonable. Unfortunately, however, we find that forcing TLS (only) access is not well-supported before PHP 5.5 or 5.6 (depending on
who you believe, here: http://php.net/manual/en/soapclient.soapclient.php (http://php.net/manual/en/soapclient.soapclient.php" target="_blank) (with the ssl_method "options" parameter to the SOAPClient()) or
(perhaps) by limiting the "ciphers" in the "context options" "stream_context" to those which will support TLS1.x . This is described in the following
post: http: (http://stackoverflow.com/questions/16547163/how-to-force-a-certain-tls-version-in-a-php-stream-context-for-the-ssl-transp" target="_blank)//stackoverflow.com/questions/16547163/how-to-force-a-certain-tls-version-in-a-php-stream-context-for-the-ssl-transp . While we understand fully that this PHP API library has limited support, we do wonder whether anybody else has experience with TLS from PHP 5.4?
Most shops seem to still run PHP 5.4 in the real world.
And I actually cannot tell, short of extensive packet tracing, whether this following codelet actually uses TLS
(or the parameters are being ignored? ). Is there a TLS-only Salesforce endpoint for testing before November 7?
Advice appreciated.

<?php

    $tls_ciphers = explode(':', shell_exec('openssl ciphers -v | grep TLSv1.2 | cut -d " " -f 1 | tr "\n" ":" | sed "s/:\$//"'));
    $sslv3_ciphers = explode(':', shell_exec('openssl ciphers -v | grep SSLv3 | cut -d " " -f 1 | tr "\n" ":" | sed "s/:\$//"'));

    foreach ($tls_ciphers as $tls)
        foreach ($sslv3_ciphers as $ssl)
            if ($tls == $ssl)
            {
                print("OVERLAP on $tls == $ssl\r\n");
                exit();
            }

    $context = stream_context_create( array( 'ssl' => array (
                                             'protocol_version' => 'tls1',
                                             'ciphers' => $tls_ciphers
    )));
    $soapClientArray = array (
          'user_agent' => 'salesforce-toolkit-php/20.0',
          'encoding' => 'utf-8',
          'trace' => 1,
          'compression' => SOAP_COMPRESSION_ACCEPT | SOAP_COMPRESSION_GZIP,
          'stream_context' => $context
    );
    $client = new SoapClient('partner.wsdl.xml', $soapClientArray);

    echo "Add 'ciphers' => '$tls_ciphers'\r\n";

?>
mscholtzmscholtz
"Is there a TLS-only Salesforce endpoint for testing before November 7?"

Seems like this would be a really good idea in general..