Thanks so much for your response, Weedpacket. I see that if you run curl from the command line on linux with a -v option, you get a line describing the encryption protocol used:
$ curl -v https://google.com
* Rebuilt URL to: https://google.com/
* Hostname was NOT found in DNS cache
* Trying 216.58.217.206...
* Connected to google.com (216.58.217.206) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
* start date: 2018-02-20 14:33:16 GMT
* expire date: 2018-05-15 14:08:00 GMT
* subjectAltName: google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
GET / HTTP/1.1
User-Agent: curl/7.35.0
Host: google.com
Accept: */*
< HTTP/1.1 301 Moved Permanently
< Location: https://www.google.com/
< Content-Type: text/html; charset=UTF-8
< Date: Thu, 15 Mar 2018 02:48:35 GMT
< Expires: Sat, 14 Apr 2018 02:48:35 GMT
< Cache-Control: public, max-age=2592000
* Server gws is not blacklisted
< Server: gws
< Content-Length: 220
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Alt-Svc: hq=":443"; ma=2592000; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="41,39,35"
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="https://www.google.com/">here</A>.
</BODY></HTML>
* Connection #0 to host google.com left intact
In that sample, it's this line:
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
[/code
I wrote a quick PHP script to test your suggestions:
[code=php]
// Create a cURL handle
$ch = curl_init("https://www.google.com/");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
$fh = fopen("/tmp/stderr.txt", "w+");
if (!$fh) {
die("could not open stderr\n");
}
curl_setopt($ch, CURLOPT_STDERR, $fh);
// Execute
$result = curl_exec($ch);
fclose($fh);
if (!$result) {
die("curl_exec failed");
}
// Check if any error occurred
if (!curl_errno($ch)) {
echo "success\n";
$info = curl_getinfo($ch);
var_dump($info);
}
// Close handle
curl_close($ch);
This results in some of that verbosity being written to /tmp/stderr.txt:
* Hostname was NOT found in DNS cache
* Trying 172.217.11.68...
* Connected to www.google.com (172.217.11.68) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSL connection using ECDHE-ECDSA-AES128-GCM-SHA256
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=www.google.com
* start date: 2018-02-28 22:09:58 GMT
* expire date: 2018-05-23 22:07:00 GMT
* subjectAltName: www.google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority G2
* SSL certificate verify ok.
GET / HTTP/1.1
Host: www.google.com
Accept: */*
< HTTP/1.1 200 OK
< Date: Thu, 15 Mar 2018 03:00:20 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
< P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
* Server gws is not blacklisted
< Server: gws
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
etc
etc
etc
I expect I could work up a regex to extract the cipher from there.