Jump to content

code for finding users TLS version?


garyed

Recommended Posts

I've been trying to find the code or commands needed to find the users TLS version & everything seems to point to specific sites like:

 $ch = curl_init('https://www.howsmyssl.com/a/check'); 
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); 
  $data = curl_exec($ch); 
  curl_close($ch); 
  $json = json_decode($data); 
  echo "<h1>Your TLS version is: " . $json->tls_version . "</h1>\n";

Is it really that difficult to get a users TLS version without relying on another site to do it for you? 

I would have thought that there is a simple command like there is to get the users ip address but I guess not. 

Any enlightenment would be appreciated.

Link to comment
Share on other sites

PHP doesn't have access to that kind of information - it's all handled by the webserver automatically. As it should be.

But you can potentially have the server inject the information into your runtime environment. For example, nginx has a $ssl_cipher variable that you could pass into the PHP environment.

Link to comment
Share on other sites

34 minutes ago, requinix said:

PHP doesn't have access to that kind of information - it's all handled by the webserver automatically. As it should be.

But you can potentially have the server inject the information into your runtime environment. For example, nginx has a $ssl_cipher variable that you could pass into the PHP environment.

Thanks, that makes sense why it's not as simple as I thought it would be though I don't completely understand it. 

Since php is a server side language then I don't get why it doesn't have access to the same info that the server has. 

I must confess that I have no idea what nginx is, let alone how to pass a variable into the php environment from it.  

 

Link to comment
Share on other sites

49 minutes ago, garyed said:

Since php is a server side language then I don't get why it doesn't have access to the same info that the server has. 

Because it's apples and oranges. Just running on the same server doesn't mean anything - PHP could no more see what nginx is doing than nginx see what PHP is doing.

 

49 minutes ago, garyed said:

I must confess that I have no idea what nginx is, let alone how to pass a variable into the php environment from it.  

If gw1500se is right then what I said may already be in place for you. So print out the contents of $_SERVER and see if there's an SSL_PROTOCOL or similar you can reference (and what its value is).

Link to comment
Share on other sites

I printed out the results of $_SERVER & there's nothing about SSL_PROTOCOL. The only thing close is a SERVER_PROTOCOL 

I also searched the results for "1.3" because I know that is the version of TLS that I'm running & it came up empty. 

I tried gw1500se's suggestion earlier & it didn't work so I thought he was just joking but maybe not.

Link to comment
Share on other sites

I'm using Apache on my home server & I ran the same code on my webhost server which I assume is Apache also.

My phpinfo() shows Apache under server software environment on my webhost. 

Neither  nginx or FPM show up anywhere in my phpinfo() on either servers. mod_php7 shows on my home server but not on my webhost's server. 

Home server running php 7.2.34, Web server running php 7.4.30

Link to comment
Share on other sites

24 minutes ago, garyed said:

I'm using Apache on my home server & I ran the same code on my webhost server which I assume is Apache also.

Finding out the actual truth instead of guessing is probably a good idea.

 

For Apache, SSL_PROTOCOL is available if you enable that.
https://httpd.apache.org/docs/current/mod/mod_ssl.html


For nginx, I believe you can get $ssl_protocol as a variable, but you would need to pass that as an environment/CGI variable to php-fpm in the server/site config.
https://nginx.org/en/docs/http/ngx_http_ssl_module.html

Link to comment
Share on other sites

6 minutes ago, garyed said:

I still haven't figured out how to enable mod_ssl

If you have working SSL connections then mod_ssl is already enabled and working.  What you need to do is configure it to setup those environment variables if you want access to them.  It doesn't by default because generally speaking the application doesn't need to know that information so making it available would waste time and resources.

To enable them, you use the configuration directive SSLOptions +StdEnvVars.  Put this into either your main server configuration file or a .htaccess file in your website.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.