How to force TLS v1.0 in PHP

PHP 5.6+ Users

This is a new feature as documented on the PHP 5.6 OpenSSL Changes page.

At time of writing this, PHP5.6 is in Beta1 and thus this isn’t overly useful. People of the future – lucky you!

Everyone Else

The title of this post isn’t strictly accurate as this isn’t possible in PHP < 5.6. However, when working around a problem where a supplier’s API server wasn’t correctly negotiating TLSv1.2 down to its supported TLSv1.0, sending a small subset of ciphers seemed to allow negotiation to complete correctly. This was done by setting some SSL options in the stream context.

I created a context passing it the set of permitted ciphers in CIPHERS(1) format. Code below:

  1. [
  2. 'ssl' => [
  4. ],
  5. ]
  6. );


In a lot of cases, you can just use stream_context_set_default to set this info into the default stream context.

Special Note for SOAP Users

PHP’s SOAP client doesn’t seem to use the default stream context. As such, assign a stream context handle to a variable, as demonstrated above and pass this as a parameter to the SOAPClient constructor:

  1. $soap_client = new SOAPClient('', array('stream_context' => $context));


The list of ciphers above came from OpenSSL‘s supported cipher list on the server in question. The command openssl ciphers -v will give you all of the supported ciphers and which crypto protocols they apply to. I filtered out TLSv1.2 and passed this list to the stream_context_create in the above example.

The following shell command should give you what you require:

  1. openssl ciphers -v | grep -v 'TLSv1.2' | cut -d ' ' -f 1 | tr "\n" ':'