libcurl + Guzzle TLS error thrown for cURL less than 7.34

[thealmightygrant]

Guzzle version(s) affected: 7.6 to 7.8.1
PHP version: 8.2
cURL version: 7.21.3 to 7.33 (inclusive)

Description
The PHP constant CURL_SSLVERSION_TLSv1_2 being used to check the crypto_method option does not exist until cURL version 7.34

This results in the following error being thrown:

Uncaught InvalidArgumentException: Invalid crypto_method request option: TLS 1.2 not supported by your version of cURL

We have support for TLS v1.2 so this is not an accurate error:

curl -k 'https://test-tls12.messagemedia.com/'
Connected successfully with TLS 1.2

[GrahamCampbell]

Thanks for getting in touch. What does your code look like? Can you show the stack trace? What is your curl --version - is it the same version as the lib-curl that PHP is linked against?

[GrahamCampbell]

Note that it is not a bug that if you manually specify crypto_method to 1.2 and have a too old version of curl, even if it supports TLS 1.2 but does not have the constant. I'd only consider this a bug if the error happens even when not specifying a crypto_method.

[GrahamCampbell]

This fact is documented at https://github.com/guzzle/guzzle/blob/429cb6702659329819fb40c9487eac3132bdd80b/docs/request-options.rst#crypto_method. The reason is we need to behave in a secure way. If we can't verify that tls 1.2 or higher is actually used, then we must fail.

[thealmightygrant]

Hi, it's a bit roundabout, but I am hitting this issue via the Saloon project. They are passing through the crypto_method.

I am accessing that project from the instructor-php project, where they are creating a client for OpenAI.

[thealmightygrant]

We are using curl 7.29 as the version that our PHP is linked against.

curl --version                                                                                                                                   
curl 7.29.0 (x86_64-koji-linux-gnu) libcurl/7.29.0 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

[thealmightygrant]

Full Stacktrace for you:

Fatal error: Uncaught InvalidArgumentException: Invalid crypto_method request option: TLS 1.2 not supported by your version of cURL in /home/asherrick/development/irccat/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:470
Stack trace:
#0 /some-project/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(59): GuzzleHttp\Handler\CurlFactory->applyHandlerOptions(Object(GuzzleHttp\Handler\EasyHandle), Array)
#1 /some-project/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory->create(Object(GuzzleHttp\Psr7\Request), Array)
#2 /some-project/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): GuzzleHttp\Handler\CurlHandler->__invoke(Object(GuzzleHttp\Psr7\Request), Array)
#3 /some-project/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(48): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}(Object(GuzzleHttp\Psr7\Request), Array)
#4 /some-project/vendor/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php(64): GuzzleHttp\Handler\Proxy::GuzzleHttp\Handler\{closure}(Object(GuzzleHttp\Psr7\Request), Array)
#5 /some-project/vendor/guzzlehttp/guzzle/src/Middleware.php(31): GuzzleHttp\PrepareBodyMiddleware->__invoke(Object(GuzzleHttp\Psr7\Request), Array)
#6 /some-project/vendor/guzzlehttp/guzzle/src/RedirectMiddleware.php(71): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Request), Array)
#7 /some-project/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\RedirectMiddleware->__invoke(Object(GuzzleHttp\Psr7\Request), Array)
#8 /some-project/vendor/guzzlehttp/guzzle/src/HandlerStack.php(75): GuzzleHttp\Middleware::GuzzleHttp\{closure}(Object(GuzzleHttp\Psr7\Request), Array)
#9 /some-project/vendor/guzzlehttp/guzzle/src/Client.php(333): GuzzleHttp\HandlerStack->__invoke(Object(GuzzleHttp\Psr7\Request), Array)
#10 /some-project/vendor/guzzlehttp/guzzle/src/Client.php(106): GuzzleHttp\Client->transfer(Object(GuzzleHttp\Psr7\Request), Array)
#11 /some-project/vendor/guzzlehttp/guzzle/src/Client.php(124): GuzzleHttp\Client->sendAsync(Object(GuzzleHttp\Psr7\Request), Array)
#12 /some-project/vendor/saloonphp/saloon/src/Http/Senders/GuzzleSender.php(101): GuzzleHttp\Client->send(Object(GuzzleHttp\Psr7\Request), Array)
#13 /some-project/vendor/saloonphp/saloon/src/Traits/Connector/SendsRequests.php(72): Saloon\Http\Senders\GuzzleSender->send(Object(Saloon\Http\PendingRequest))
#14 /some-project/vendor/cognesy/instructor-php/src/ApiClient/Traits/HandlesApiResponse.php(36): Saloon\Http\Connector->send(Object(Cognesy\Instructor\Clients\OpenAI\OpenAIApiRequest))
#15 /some-project/vendor/cognesy/instructor-php/src/ApiClient/Traits/HandlesApiResponse.php(28): Cognesy\Instructor\ApiClient\ApiClient->respondRaw(Object(Cognesy\Instructor\Clients\OpenAI\OpenAIApiRequest))
#16 /some-project/vendor/cognesy/instructor-php/src/Core/RequestHandler.php(79): Cognesy\Instructor\ApiClient\ApiClient->get()
#17 /some-project/vendor/cognesy/instructor-php/src/Core/RequestHandler.php(41): Cognesy\Instructor\Core\RequestHandler->getApiResponse(Object(Cognesy\Instructor\Data\Request))
#18 /some-project/vendor/cognesy/instructor-php/src/Instructor.php(188): Cognesy\Instructor\Core\RequestHandler->respondTo(Object(Cognesy\Instructor\Data\Request))
#19 /some-project/vendor/cognesy/instructor-php/src/Instructor.php(162): Cognesy\Instructor\Instructor->handleRequest()
#20 /some-project/vendor/cognesy/instructor-php/src/Instructor.php(110): Cognesy\Instructor\Instructor->get()
#21 /some-project/modules/emojiembeddings.php(196): Cognesy\Instructor\Instructor->respond(...)

[GrahamCampbell]

Ok. The best thing to do here is to upgrade your curl version. I'm not sure if all the security fixes are backported to the build you have, but if not, it is horribly insecure. The other thing I would recommend if you'd prefer not doing that would be to downgrade to a version of that library before they added that code or to fork it and remove it. Finally, you could fork it and instruct guzzle to not use the curl handler, and use the PHP-native implementation which is slower, but may be fast enough for you. A similar approach would be to create your own GuzzleSender implementation, and build up the object you need more manually in your code, which would avoid the fork. I see this last one doesn't work because of what they did in the Config class. EDIT 2: that's the stream constant, not the curl one.

[GrahamCampbell]

I was thinking more about this. Maybe Guzzle should only try and use it's curl handler by default if libcurl is at least 7.34. That may be enough to fix your issue.