search

codeigniter4 / CodeIgniter4

Open Source PHP Framework (originally from EllisLab)
https://codeigniter.com/
MIT License
5.4k stars 1.9k forks source link

Bug: Email service does not use latest TLS 1.3 #7316

Closed fliodhais closed 1 year ago

fliodhais commented 1 year ago

PHP Version

7.4

CodeIgniter4 Version

4.1.1

CodeIgniter4 Installation Method

Manual (zip or tar.gz)

Which operating systems have you tested for this bug?

Windows, Linux

Which server did you use?

apache

Database

No response

What happened?

Was scanning my project with data analysis tool, Sonarcloud and it highlighted that the system's email 's stream_socket_enable_crypto function's crypto method was using TLS 1.0 | 1.1 | 1.2 and did not have TLSv1.3 (the latest supported version for PHP >7.4 as per documentation)

Steps to Reproduce

system/email/email.php ln 2103

$crypto = stream_socket_enable_crypto(
                $this->SMTPConnect,
                true,
                STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
            );

Expected Output

$crypto = stream_socket_enable_crypto(
                $this->SMTPConnect,
                true,
                STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT
            );

Anything else?

I'm not sure how does the "|" operator work. Is it supposed to be the OR operator, typically "||", or is it that the function will automatically select the latest/most secure option of the choices we provide to it?

kenjis commented 1 year ago

Thank you for reporting. Please check #7317

kenjis commented 1 year ago

| is a Bitwise Operator. See https://www.php.net/manual/en/language.operators.bitwise.php