TLS 1.0 when sending mails through PHPMailer?

[tmvision]

Hi,

We are currently using smtp.office365.com for sending mails from Nagios XI. As Microsoft is soon removing support for older versions of TLS we have received a notification that the mails sent from Nagios are transported over a connection secured by TLS 1.0.
Is this correct?
If so, how do we remedy this?

I have done some digging myself, based on a hunch that this could be linked to the old version of PHP shipped with CentOS.
I found that PHPMailer uses stream_socket_enable_crypto (docs) for securing the connection, but as we are using PHP 5.4 the most secure flag available is STREAM_CRYPTO_METHOD_TLS_CLIENT. This appears to lead to a call to TLSv1_client_method() (PHP 5.4.16 source), which I believe is for negotiating a TLS 1.0 connection.

If this is correct (and I may very well have taken a wrong turn) the most obvious solution would be moving to a newer PHP release.
Is upgrading the installed version of PHP officially supported, or are we better off looking to sendmail for future delivery of mail?

Code: Select all

Nagios XI version: 5.6.5
XI installed from: source
CentOS Linux release 7.6.1810 (Core) 
PHP Version: 5.4.16

E:
On further inspection, changing the flag in /usr/local/nagiosxi/html/includes/phpmailer/class.smtp.php from STREAM_CRYPTO_METHOD_TLS_CLIENT to STREAM_CRYPTO_METHOD_SSLv23_CLIENT may lead to calling SSLv23_client_method(), which is the "version-flexible" according to the manpages. I will report back when I can see whether this fixes our problem.

[benjaminsmith]

Hi @tmvision,

If so, how do we remedy this?

After doing a but of research on this issue, PHPmailer support is dictated by the version of openssl on the server, and my understanding is that it will automatically negotiate at the highest level. If your running CentOS the base version of openssl will support TLS 1.2

See: What version of TLS does PHPMailer support?

That said, take a look at this thread below regarding this issue:

just confirmed with my colleagues that to force TLS1.2 you need to be running PHP 5.6+

See: Notifications not being received

However, upgrading php on CentOS is not straightforward process, but can be done. The other option is to migrate the server to a less conservative distribution such as Ubuntu Server which supports PHP7.

Let us know if you have any questions.

[tmvision]

Hi Benjamin,

Thank you for your reply.

After doing a but of research on this issue, PHPmailer support is dictated by the version of openssl on the server, and my understanding is that it will automatically negotiate at the highest level. If your running CentOS the base version of openssl will support TLS 1.2

The TLS-support of PHP is decided by the version of openssl, but PHPMailer has to set the right arguments for the call to stream_socket_enable_crypto.
On PHP 5.4 PHPMailer only sets the flag STREAM_CRYPTO_METHOD_TLS_CLIENT as STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT isn't defined before PHP 6.5 (see source and documentation).

This does not negotiate the highest level, but requests a TLS 1.0 connection specifically (as far as I can tell - I believe this is the switch-statement which decides on the type of the connection).

just confirmed with my colleagues that to force TLS1.2 you need to be running PHP 5.6+

Our problem wasn't that TLS 1.2 wasn't forced, but rather that it wasn't available at all. Changing the flag to STREAM_CRYPTO_METHOD_SSLv23_CLIENT appears to have solved this issue.

Would you consider making this change (or similar) part of the official distribution to allow all customers on CentOS to send mails through TLS 1.2? We would prefer not having to apply manual changes to source files to fix this after each update
This solution has the drawback of potentially enabling older protocols as well, but being stuck on TLS 1.0 isn't desirable. Still, I am not sure if this change has the desired effect on all versions of PHP or if it is 5.4-specific.

Let me know what you think. In any case our immediate issue has been resolved

[benjaminsmith]

Hello @tmvision,

Let me know what you think. In any case our immediate issue has been resolved

I discussed this with our lead developer, and the recommended solution is to upgrade PHP itself rather than making changes to PHPMailer ( as this will affect our ability to upgrade this package).

Let me know if you have any questions.

[tmvision]

Hi Benjamin,

the recommended solution is to upgrade PHP itself

That sounds reasonable. Should we expect this upgrade to come with a future version of Nagios XI, or will this be a manual procedure (either with official support/documentation or "at your own risk")?

rather than making changes to PHPMailer (as this will affect our ability to upgrade this package).

As far as I can tell PHPMailer 5.2 won't receive any further updates so this probably won't be an issue At least not until PHP is upgraded to 5.5+, allowing PHPMailer 6 to be used instead.

[benjaminsmith]

Hello @tmvision,

That sounds reasonable. Should we expect this upgrade to come with a future version of Nagios XI, or will this be a manual procedure (either with official support/documentation or "at your own risk")?

It's dependent up which distribution you use with Nagios XI. Currently, CentOS installs php 5.4.x and Ubunutu 18 installs php 7.2x ( see: this). We develop, test and support base installations ( default packages and repos provided by the operating system vendor).

If you need to upgrade CentOS, please see the following forum post:

Updating PHP on Nagios

Let me know if you have any other questions.