openssltls1.2ddevtls1.0

In DDEV-Local v1.13+ I get API failures (SSL/TLS errors) against external sites


My DDEV-Local project accesses an external SOAP API on a server on the internet, for example "SOAP-ERROR: Parsing WSDL: Couldn't load from ...". I didn't have any trouble before upgrading to DDEV v1.13. What could the problem be here?

(SOAP is just one example of a client API or curl request over https that may fail. Most https client requests to insecure servers will fail.)


Solution

  • The DDEV-Local v1.13+ web container uses Debian 10 Buster, which has an updated OpenSSL library, which by default disallows TLS v1.0 (which is obsolete, insecure, and is very soon to be disallowed by web browsers). However, of course, there are servers out there that are still using TLS 1.0.

    The configuration to allow TLS 1.0 is in the web container in /etc/ssl/openssl.cnf: MinProtocol = TLSv1.2. If you need to change that to TLSv1.0 until the related server is updated, you can do it with a custom Dockerfile in DDEV-Local.

    In your project add a .ddev/web-build/Dockerfile like this:

    ARG BASE_IMAGE
    FROM $BASE_IMAGE
    RUN sed -i 's/TLSv1.2/TLSv1.0/g' /etc/ssl/openssl.cnf
    

    Please note that you really do want to get the server updated if you have any control over it at all, because you need to be using a supported TLS version.

    Thanks to Andreas Hoffmeyer for the full solution.