SMTP TLS Version

TimePlan · Post by **TimePlan** » Wed Jan 20, 2021 5:30 am

Hi,

Are there any way to mange what version of TLS nagios log server will use to send emails?
The unique host report seems to send with tls1.0 and i whould like to change it to tls1.2

we are using office365 as smtp server

ssax · Post by **ssax** » Wed Jan 20, 2021 5:45 pm

What PHP version are you using?

Code: Select all

php -v

I think you need to be on PHP 5.6.8 or higher for TLS 1.2.

Given this:

https://github.com/bcit-ci/CodeIgniter/ ... c375b806a2

I don't think the currently library we use supports it as it's missing that code:

Code: Select all

/var/www/html/nagioslogserver/system/libraries/Email.php

TimePlan · Post by **TimePlan** » Thu Jan 21, 2021 2:22 am

Thank you for the quick reply.

Our nagios server are indeed running php v 5.4.16.
is 5.6 preferred or can i update to php v7 or 8?

TimePlan · Post by **TimePlan** » Thu Jan 21, 2021 6:00 am

Upgraded to php 5.6.40 and that did not change tls version /:

Post by **cdienger** » Thu Jan 21, 2021 6:54 pm

I've tested this and can confirm that NLS is able to use TLSv1.2 on minimal cent 7 install without upgrading the php package.

What OS are you using?

Can you provide a screenshot of your mail settings?

How are you determining that TLS 1.0 is being used?

Do you see TLS 1.0 being used when you send a test email under Admin > General > Mail Settings ?

TimePlan · Post by **TimePlan** » Fri Jan 22, 2021 3:14 am

OS:
CentOS Linux release 7.9.2009 (Core)

php:
PHP 5.6.40 (cli) (built: Jan 4 2021 16:12:31)

Initial discovery was by a o365 security report
then i startede looking at the mail header of the last NLS reports and it states:

received: from nagioslog.dk.timeplan-software.com (x.x.x.x) by AS8PR04CA0057.eurprd04.prod.outlook.com (2603

20b:312::32) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.20.3784.12 via Frontend Transport; Fri, 22 Jan 2021 08:08:43 +0000

Attached screenshot of mail settings on NLS

Post by **cdienger** » Fri Jan 22, 2021 1:07 pm

Switch the 'SMTP Security' to SSL, test again and let me know the results. Despite the 'SSL' label I believe it will still attempt TLS and this is how I tested with success.

TimePlan · Post by **TimePlan** » Mon Jan 25, 2021 3:20 am

when changing to SSL i get this error when pressing "test Settings" (see attached img)

Post by **cdienger** » Mon Jan 25, 2021 5:51 pm

Edit /var/www/html/nagioslogserver/system/libraries/Email.php and on line 2071 you'll find:

Code: Select all

$crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, STREAM_CRYPTO_METHOD_TLS_CLIENT);

STREAM_CRYPTO_METHOD_TLS_CLIENT restricts the version to TLS1.0 with php higher than 5.6.7. Try changing it to:

Code: Select all

$crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, STREAM_CRYPTO_METHOD_ANY_CLIENT);

and test again. You may also want to test with these options:

STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT

TimePlan · Post by **TimePlan** » Tue Jan 26, 2021 3:13 am

This seem to have done the trick
$crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, STREAM_CRYPTO_METHOD_ANY_CLIENT);

thank you very much

Do you know if this file will/can be overwritten in a NLS update?

Nagios Support Forum

SMTP TLS Version

SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version

Re: SMTP TLS Version