PHP 8 $_SERVER['SSL_PROTOCOL'] is missing on some servers, how to determine encryption protocl and version

Question

We recently upgraded our servers to PHP 8 and on one of the servers the $_SERVER['SSL_PROTOCOL'] variable is missing.

• I couldn't find any reference to it on php.net.
• I am aware that some variables are pulled from other parts of the system though I'm not familiar with where PHP gets this particular variable from.
• All search results I've found using quote operators revealed only irrelevant data.
• I attempted to see if the variable name was changed to something like TLS_PROTOCOL because SSL has been irrelevant for some time.

My goal is to ensure that clients are using TLS 1.2 or TLS 1.3 and this was the critical component to that. How do I either get $_SERVER['SSL_PROTOCOL'] or at least determine the protocol and protocol version of the network encryption type being used by clients via PHP?

Answer 1

The SSL/TLS encryption is handled by your web server, not by PHP, so this variable has to be set there. The upgrade of PHP is coincidence - it's something else you've upgraded or re-built that has caused the difference.

If you are using Apache, this information is disabled for performance unless you set SSLOptions +StdEnvVars. See the documentation at https://httpd.apache.org/docs/current/mod/mod_ssl.html

A quick search suggests Nginx doesn't set this variable natively at all.