Is there a good reason CI is slipping behind the times? |
Having recently rebuilt my email server, I've found that all my CI-based applications that make use of this service started having their attempts to authenticate rejected.
The fix was pretty simple... either have the server relax its minimum requirements on the encryption protocol... OR make changes in CI to facilitate using more up-to-date protocols. As there are other users that use the email server, all successfully (in spite of now being restricted to nothing less than TLSv1.3)... I'd prefer to leave the server's minimum protocol as it currently stands at TLSv1.3, and change the CI applications to bring them in line with the rest of the user's capabilities. The changes to CI, unfortunately, are easiest made in the CI system files... and only involve a trivial modification to ./system/Email/Email.php (line 1886 in v4.3.1, see the bit added in red): 1886: STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT So my question is: is there some good reason that I can't think of as to why TLSv1.3 has been excluded from the protocols that CI supports (given that it's been supported since PHP 7.4.0 - see: https://prototype.php.net/manual/en/func...crypto.php)... that I need to consider before I go live with the above hack to the CI system files?
None that I'm aware. The real world answer is that we hadn't noticed, yet, and no had submitted a bug report or PR.
Would you mind submitting a PR so that it will be fixed in future versions?
Great, thank you Kilishan.
It's already in the latest revision code?!... nice! Thanks Kenjis.
Yes, it is included in v4.3.3.
See https://codeigniter.com/user_guide/chang...l#security |
Welcome Guest, Not a member yet? Register Sign In |