Welcome Guest, Not a member yet? Register   Sign In
TLS version of Email Library

Ubuntu: 16.04 
Apache:  Apache/2.4.18 (Ubuntu)
CI: 3.1.6

I am using the built in library Email function in CI.  Just a question for anyone who might know... Is it TLS1.2?

 The emails are sent out through Microsoft Office365, and they have sent this motification that they will be stopping support:

Quote:we are moving all of our online services to Transport Layer Security (TLS) 1.2+. As a result, we will be removing support for TLS versions less than 1.2 from our online services, beginning March 1, 2018.

Any idea how i might be go about finding out the TLS version that the CodeIgniter Library is sending? 

TLS is the real name for SSL. The CI Email library is perfectly capable of using SSL... er... TLS. It's a matter of config settings. That and having server supports for TLS.

(This post was last modified: 01-17-2018, 02:55 AM by Narf.)

(01-16-2018, 03:08 PM)dave friend Wrote: TLS is the real name for SSL.

It's not quite that way.

You will sometimes see people insisting on saying TLS as opposed to SSL, and that's correct, but only because it is the successor of SSL and has already entirely replaced it, to the point where it's considered a vulnerability if you're still using actual SSL today.

People using the two names interchangeably (and actually thinking they're the same) is really a testament to how smooth and transparent the transition has been, and that's on a scale of the entire freaking internet. Big Grin

I checked my domain with https://www.ssllabs.com/ssltest/

it says my domain is compatible with TLS1.2, so I suppose I am okay.

Guess this wasn't a CI question - Thanks everyone for your help!

(01-17-2018, 07:28 AM)Juicepig Wrote: I checked my domain with https://www.ssllabs.com/ssltest/

it says my domain is compatible with TLS1.2, so I suppose I am okay.  

Guess this wasn't a CI question - Thanks everyone for your help!

That's for HTTP though, which is handled by your web server (Apache, nginx, etc.) and not PHP.

The server that you're running certainly supports TLS 1.2 - I wouldn't question that unless you're running a decade old OS that was never updated. The question is whether PHP's exposed userland functions actually use it. And the answer is ... complicated.

For SMTP, the library opens a connection via fsockopen(). And if you configure smtp_crypto to be 'tls', the connection will be altered via stream_socket_enable_crypt() and STREAM_CRYPTO_METHOD_TLS_CLIENT: https://github.com/bcit-ci/CodeIgniter/b....php#L2048

And the problem is that this STREAM_CRYPTO_METHOD_TLS_CLIENT has changed its values between PHP versions ... a lot, and even in patch versions.

Here's what 3v4l.org shows:

Quote:Output for 5.6.0 - 5.6.6, hhvm-3.10.1 - 3.22.0, 7.2.0 - 7.2.1
Output for 5.6.7 - 5.6.30, 7.0.0 - 7.1.13
Output for 5.1.0 - 5.5.38

57 means that any of TLS 1.0, 1.1 and 1.2 could be used, depending on negotiation with the server.
9 means TLS 1.0 only.
3 means SSL 2.0 only - that's entirely broken and there aren't even other constants as options before PHP 5.6.

What has happened with PHP here is an example of bad programming in the past causing huge problems in the future ...

1. Someone did mistake TLS to be SSL, and even worse than that - hard-coded TLS to alias SSL 2.0, while TLS is based on SSL 3.0, so that's 2 problems here.
2. Years later, both mistakes were corrected in one go with the release of PHP 5.6.0.
3. Users complained that their software broke - the fix was reverted, or at least altered to a compromise. That is ... it wasn't reverted to SSL 2.0, but I guess restricting it to TLS 1.0 somehow fixed all the broken apps - I'm not intimately familiar with the protocol's inner workings, so I can't explain how/why that has worked.
4. PHP 7.2 (released a month ago) finally fixed the problem for good, even aliasing 'ssl://' to 'tls://' now, because nobody should be using SSL today.


So, there you have it ...

To be fair, you shouldn't have to know or deal with all of this, but unfortunately it's not an easy situation for CI to deal with either. We'll probably patch it, the question is with what exactly.

Theme © iAndrew 2016 - Forum software by © MyBB