magento-cicd2
commented
6 years ago
All committers have signed the CLA.
Closed JacobBrownAustin closed 6 years ago
magento-cicd2
commented
6 years ago
All committers have signed the CLA.
JacobBrownAustin
commented
6 years ago @joanhe and/or @buskamuza can you review this pull request or assign it to someone who can, please? Thank you! :-)
JacobBrownAustin
commented
6 years ago The discussion about the TLS version approval can be found in the Jira task here : https://magento2.atlassian.net/browse/MAGECLOUD-2521
JacobBrownAustin
commented
6 years ago Also, I should add this comment here since it is important: Piotr Kaminski says we should keep TLS 1.1 for 2.1.x / 2.2.x TLS 1.2+ for 2.3.x
https://magento2.atlassian.net/browse/MAGECLOUD-2521
Since PHP version 5.6.7,
STREAM_CRYPTO_METHOD_TLS_CLIENTchanged to mean only TLS version 1.0. Our use of this constant has caused these TLS connections to no longer work in a world where TLS 1.0 and 1.1 are now disabled for most services.In this pull request, I have replaced the use of that constant with STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT . This will require version 1.2 of TLS.
(Note that currently PCI only supports version 1.2 of TLS. All other versions of TLS, and any version of SSL are required to be disabled by PCI.)
In the future, when TLS 1.3 is released, we will have to update this to also include STREAM_CRYPTO_METHOD_TLSv1_3._CLIENT
Testing/Verifying this patch:
Because I couldn't find an open or free TLS testing service, to test and verify this patch against SMTP, I made this phpunit file that can run to verify the functionality of this patch.
All it does is try to Spark Post Mail's SMTP server, which doesn't support TLS 1.0, so it requires this patch. It then tries to send an email, but fails, because I didn't want to put my real test account credentials in there. So the test verifies that it fails because of Authentication error instead of failing because of TLS error.
To run it, download this file and add it to the root of your cloud environment. https://github.com/magento-cloud/magento-cloud-misc/blob/master/users/jacob/MAGECLOUD-2521/test-smtp-tls-sparkmail.php Also, make sure to add php unit to your cloud environment by running this command.
composer require phpunit/phpunitThen add it all and push.git add composer.lock composer.json test-smtp-tls-sparkmail.php ; git commit -m 'adding test for SMTP TLS' ; git pushOnce your cloud environment had redeployed, ssh into it and runphpunit test-smtp-tls-sparkmail.phpIf you have the patch applied , it will succeed without failures. If you don't have this patch applied, it will fail.Note that this test will not work with PHP 7.2, because in PHP 7.2, they switched the TLS constants again, so it will silently connect with TLS 1.2 when using PHP 7.2.
Note that this test only tests SMTP and does not test the other affected protocols, POP3, IMAP, and HTTP proxy adaptor.