Better TLS (hopefully) #299
Conversation
brandur
left a comment
brandur
left a comment
There was a problem hiding this comment.
This looks great to me; thanks again @olivierbellone! If it's peaceful with Field Engineering, I'll cut a major release with this later today like we talked about.
| if (!defined('CURL_SSLVERSION_TLSv1_2')) { | ||
| define('CURL_SSLVERSION_TLSv1_2', 6); | ||
| } | ||
| // @codingStandardsIgnoreEnd |
There was a problem hiding this comment.
In retrospect, this definitely fits best up in the header of this file. Nice!
| $curl = new \Stripe\HttpClient\CurlClient(array(CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1)); | ||
| \Stripe\ApiRequestor::setHttpClient($curl); | ||
| ``` | ||
|
|
There was a problem hiding this comment.
Minor comment but I'd recommend that you add the exact error message people might get on this page. This is helpful for someone looking for the exact error either on the page or via Google.
There was a problem hiding this comment.
Great point. Done!
lib/HttpClient/CurlClient.php
Outdated
|
|
||
| // @codingStandardsIgnoreStart | ||
| // PSR2 requires all constants be upper case. Sadly, the CURL_SSLVERSION | ||
| // constants to not abide by those rules. |
There was a problem hiding this comment.
minor nit "constants to not" => "constants do not"
|
|
||
| $langVersion = phpversion(); | ||
| $uname = php_uname(); | ||
| $curlVersion = curl_version(); |
There was a problem hiding this comment.
have we confirmed that calling this has a minimal impact? We've discussed this before in private but can't remember seeing clear results
There was a problem hiding this comment.
I ran some basic benchmarking, and it takes approximately 1.3 seconds to run 1 million calls to curl_version on my laptop. Given that ~all of our users will never send more than 100 req/s, I think we're fine.
|
Added a few minor comments here to address first but otherwise I think we're ready to ship. Since this is a major change, it might be worth delaying it a bit more and trying to think of anything we've wanted to change or fix for some time but couldn't because it would require a major version release |
|
Not sure if this helps or is too late... Though they don't use this Stripe PHP library, the WooCommerce Stripe payment gateway added this: |
|
@pderksen this is the original code we had in our library too as far as I can tell (they even mention olivier's name directly in the comments). Unfortunately, we've ended up in situations where some users have PHP built with one specific version of curl and then uses a completely different one in production. When that happens, forcing the constant sometimes doesn't work at all producing errors such as the one documented in #289. This PR is a different attempt to avoid this issue. We now rely on curl doing the right thing by default and then provide an option for users to explicitly force a different constant otherwise if they need to. |
@remistr Given that major version releases tend to be slightly intimidating as is, what do you think about trying to keep this one fairly minimal? I'm a little worried that if there are too many other changes they might present a bit of a barrier to upgrade. |
|
@brandur well that seems the opposite of what a major release should be no? Otherwise we'll keep not changing things we want to fix because it's too minor for a major release and at the same time have to release major releases every time something less minor changes. I can't remember a specific thing we wanted to fix but couldn't recently. I'm just trying to advocate for taking this a bit slower than usual and trying to make sure we're not missing a quick win we could get and avoid a 5.X in a few weeks. |
olivierbellone
force-pushed
the
ob-fix-289
branch
from
b139ae3 to
ae61759
Compare
Well I should point out that we're not burning through major releases at an incredible rate (the last was almost a year and a half ago), so it doesn't seem like we'd be starting a 5.x line anytime soon. But cool, it would be nice to get some of the people on #289 fixed up, but aside from that I guess we're not in a particular rush. Let me know when you think it would be wise to move forward on this one. |
|
@brandur Then I think we're okay merging and releasing this! |
olivierbellone
force-pushed
the
ob-fix-289
branch
from
ae61759 to
2c2d822
Compare
|
I added a paragraph at the end of the README for plugin devs, to let them know about Feel free to tweak the wording or just rewrite the whole thing! |
brandur
left a comment
brandur
left a comment
There was a problem hiding this comment.
+1 to trying out the new README section. I left one minor comment on a typo above, but this looks good to me. Lets get it shipped out today.
README.md
Outdated
|
|
||
| Alternately, a callable can be passed to the CurlClient constructor that returns the above array based on request inputs. See `testDefaultOptions()` in `tests/CurlClientTest.php` for an example of this behavior. Note that the callable is called at the beginning of every API request, before the request is sent. | ||
|
|
||
| ### SSL / TLS compatibiliy issues |
There was a problem hiding this comment.
Ugh, pretty minor, but I just noticed this typo on "compatibility". Mind fixing that?
olivierbellone
force-pushed
the
ob-fix-289
branch
from
2c2d822 to
cf8bc52
Compare
olivierbellone
force-pushed
the
ob-fix-289
branch
from
cf8bc52 to
458adc0
Compare
|
@brandur Sorry for the delay, GitHub failed to notify me for some reason. Typo is fixed, let's 🚢 this! |
|
Released as 4.0.0. Fingers crossed :) |
r? @brandur
cc @stripe/api-libraries @remistr
This PR aims to solve the various TLS issues that some of our users have encountered, usually caused by weird interactions between software versions (most notably curl and its underlying SSL library, typically but not always OpenSSL) and the way we configure TLS in the library.
To summarize:
CURLOPT_SSLVERSIONat all anymore. From the PHP docs: "Your best bet is to not set this and let it use the default. "CURLOPT_SSLVERSIONis explicitly set to eitherCURL_SSLVERSION_TLSv1orCURL_SSLVERSION_TLSv1_2) can now do so by passing the option themselves (see README)request()method so that we don't check if the constants are already defined for every requestX-Stripe-Client-User-Agentheader now includes curl version and the SSL library name and versionThis update will unfortunately break some users' integrations (for those cases where the library happens to work now, but will require manually setting
CURLOPT_SSLVERSIONafter the update), and so should be released with a major version bump.