Fixed Swiftmailer uses TLS v1.0 by default in PHP 5.6+

HortonX25

HortonX25

Member
So I got this email from my email host

Azi wrote:
Hi,
Thanks for contacting us.The issue you are encountering is the deprecation of TLS 1.0 V1. More information can be found in our blog post here: https://www.sparkpost.com/blog/tls-v1-0-deprecation/
In an effort to help our customers with the transition, we’ve set up test endpoints that will reject any API calls that do not use TLSv1.1 or higher. You can use these endpoints to inject email traffic (or make other API calls) using your current software to determine whether it uses TLSv1.1 or higher (traffic will be accepted) or whether it uses TLSv1.0 (traffic will be rejected)
We attempted to deprecate TLS 1.0 but have rolled back until Monday July 9 to give customers more time to update their injection methods. Click here to test your connection: https://www.sparkpost.com/docs/tech-resources/tlsv1-0-test-hostname
Regards,
Azi
Click to expand...

After a bit of testing, it appears I have TLS 1.1 installed, but XF is configured to use 1.0. Any fix for this problem?
 
I second this. I use SMTP with SparkPost, too, and this is a real problem. Swift Mailer seems to be defaulting to TLS 1.0, even though my server supports TLS 1.1 and 1.2 as well. SparkPost is refusing anything lower than 1.1. I came up with a tentative fix by altering src/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php as follows:

I changed this line:

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
Click to expand...

To this:

return stream_socket_enable_crypto($this->_stream, true, STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);
Click to expand...

Unfortunately, the file no longer passes the self-check. I'm wondering if there's a way to implement the change as an addon, instead. The only other fix that I can think of is to disable TLS 1.0 at the server level so it's no longer defaulted to.
 
TLS 1.0 shouldn't be used anymore because it is unsafe. Developers of software and add-ons have to update their software to use TLS 1.2, that's the only way moving forward.
 
XF Team,

How does the core code handle this? @Train Dodger stated above the mail library seems to be defaulting to TLS 1.0.

My forums user Sparkpost as the mail provider and I would like to get ahead of this as well..
 
Train Dodger said:
I second this. I use SMTP with SparkPost, too, and this is a real problem. Swift Mailer seems to be defaulting to TLS 1.0, even though my server supports TLS 1.1 and 1.2 as well. SparkPost is refusing anything lower than 1.1. I came up with a tentative fix by altering src/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php as follows:

I changed this line:



To this:



Unfortunately, the file no longer passes the self-check. I'm wondering if there's a way to implement the change as an addon, instead. The only other fix that I can think of is to disable TLS 1.0 at the server level so it's no longer defaulted to.
Click to expand...
That worked, many thanks!
 
I believe XF should push an update for this... Urgently!

I've just set up another service and after a long process and waiting for all to set up I can't send emails through that provider too because of TLS... Now that's really annoying.
 
Train Dodger said:
I second this. I use SMTP with SparkPost, too, and this is a real problem. Swift Mailer seems to be defaulting to TLS 1.0, even though my server supports TLS 1.1 and 1.2 as well. SparkPost is refusing anything lower than 1.1. I came up with a tentative fix by altering src/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php as follows:

I changed this line:



To this:



Unfortunately, the file no longer passes the self-check. I'm wondering if there's a way to implement the change as an addon, instead. The only other fix that I can think of is to disable TLS 1.0 at the server level so it's no longer defaulted to.
Click to expand...
Confirmed that it's working with this fix. But I'd like to see this without manually editing the core files.
 
Train Dodger said:
I second this. I use SMTP with SparkPost, too, and this is a real problem. Swift Mailer seems to be defaulting to TLS 1.0, even though my server supports TLS 1.1 and 1.2 as well. SparkPost is refusing anything lower than 1.1. I came up with a tentative fix by altering src/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php as follows:

I changed this line:



To this:



Unfortunately, the file no longer passes the self-check. I'm wondering if there's a way to implement the change as an addon, instead. The only other fix that I can think of is to disable TLS 1.0 at the server level so it's no longer defaulted to.
Click to expand...

from https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php
Now, be careful because since PHP 5.6.7, STREAM_CRYPTO_METHOD_TLS_CLIENT (same for _SERVER) no longer means any tls version but tls 1.0 only (for "backward compatibility"...).

Before PHP 5.6.7 :
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_SSLv2_CLIENT|STREAM_CRYPTO_METHOD_SSLv3_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

PHP >= 5.6.7
STREAM_CRYPTO_METHOD_SSLv23_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
STREAM_CRYPTO_METHOD_TLS_CLIENT = STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT
Click to expand...
https://bugs.php.net/bug.php?id=69195

maybe PHP version specific ?
 
Last edited:
eva2000 said:
from https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php

https://bugs.php.net/bug.php?id=69195

maybe PHP version specific ?
Click to expand...

Indeed, I'm running PHP 7, so that's part of the problem; PHP newer than 5.6.7 recognizes Swift Mailer's STREAM_CRYPTO_METHOD_TLS_CLIENT specifically as STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT. In fact, if I were to disable TLS 1.0 connections on the server level and left StreamBuffer.php file in its default state, it's likely that it would attempt to use TLS 1.0 and then fail to deliver the mail.

They should patch XF 2.0 so that the mail section of the admin panel has checkboxes that let us select which versions of TLS to use for outgoing mail, altering Swift Mailer's configuration accordingly. Right now, we can select either SSLv3 or TLS, but it needs to be expanded to provide options for specific TLS versions. A lot of mail relay services are deprecating TLS 1.0 because of security vulnerabilities.

Also, if you disable TLS 1.0 at the server level, it affects all TLS connections. So, that little granny running Windows Vista and IE8, with no TLS 1.1 support? Your page is broken from her perspective. I mean, from a security standpoint, it makes sense, but you can't expect every client to be up-to-date.

Or can you? :D
 
Train Dodger said:
I second this. I use SMTP with SparkPost, too, and this is a real problem. Swift Mailer seems to be defaulting to TLS 1.0, even though my server supports TLS 1.1 and 1.2 as well. SparkPost is refusing anything lower than 1.1. I came up with a tentative fix by altering src/vendor/swiftmailer/swiftmailer/lib/classes/Swift/Transport/StreamBuffer.php as follows:

I changed this line:



To this:



Unfortunately, the file no longer passes the self-check. I'm wondering if there's a way to implement the change as an addon, instead. The only other fix that I can think of is to disable TLS 1.0 at the server level so it's no longer defaulted to.
Click to expand...
@Chris D is this fixed in the current version of Xenforo?

Thanks,
Itworx4me
 
Top Bottom