Our mail server due to security changes no longer takes anything below TLS 1.3 for the connections.
It appears suite CRM Version 7.10.33 requires TLS 1.2 to work. This is a major security issues as TLS 1.2 has known security issues. Our SuiteCRM server is now crippled and can’t send emails.
Any ideas on a fix?
Ok here is what I am finding so far, but I do not have a solution on how to fix it.
Our mail server’s OS applied an update that completely disables TLS 1.2 from the list of allowed security protocols. It appears this was done because the TLS 1.2 and older protocols are severely compromised. Our mail server pulls its allowed security protocols from the OS settings by default. - If we go in to our email servers settings, and override telling it not to pull it’s protocol handling from the OS we can tell it to allow TLS 1.2. Doing so allows emails to start sending again through SuiteCRM. Our security team will not allow us to run the broken TLS 1.2 anymore. We need a fix where the SuiteCRM SMTPMailer works with TLS 1.3+
Connection failed. Error #2: stream_socket_client(): Failed to enable crypto [/var/www/suitecrm/vendor/phpmailer/phpmailer/src/SMTP.php line 388]
What version of PHP are you using?
Both versions of Suite are using the latest PHPMailer library (https://github.com/salesagility/SuiteCRM/blob/7.10.x/composer.lock#L1726)
As far I can figure out OpenSSL relies on the PHP to establish the TLS to use based on the reading answers,
I suspect upgrading it you can then set the PHP to only use 1.3 in PHP 7.4 and later, so I’m not sure if you can set it in earlier versions that would then filter down into the applications on it
… A little more detail and re-readin the above StackOverflow answer, one path is to explicitly state you want to use
STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT in the PHPMailer’s src code within Suite. The problem of course is that as it’s in the vendor folder your changes would get overwritten everytime you upgrade SuiteCRM.
It may be beneficial to ask your question directly to the PHPMailer github and see if they can offer any configuration to explicitly set TLS 1.3
Thanks for your response. We are running PHP 7.4 we upgraded from PHP 7.3 when the issue started. We were hoping to see if that would fix the issue, and it did not. From what we are seeing in the mail servers logs is when TLS 1.2 and 1.3 are offered the SMTP mailer only tries the 1.2. When only TLS 1.3 is offered the response tries TLS 1.2 anyway and is refused. I am expecting more people with start having this issue as TLS 1.2 increases in it’s deprecation of the next few months. I read the posted link, but have yet to figure out how to fully fix the issue.
The bigger issues is there is no reference to STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT in any of the
files in the /var/www/suitecrm/vendor/phpmailer/phpmailer/src/ folders. It appears that our install of Version 7.10.33 is not getting files that are up to date.
Any ideas on why that would be the case?
No there isn’t STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT in your suitecrm/vendor/phpmailer/phpmailer/src/ as it doesn’t appear in the actual PHPMailer library itself (which Suite uses)
The closest it states is that it uses the latest. Reach out to them (PHPMailer) and they should help you as well. If SuiteCRM project needs to adjust then we’ll follow their direction.
The phpmailer was responding in a non traditional way and our email server was not accepting it even though it was with-in the accepted parameters for TLS 1.3. When TLS 1.2 was enabled it allowed for the broader validations . The mail server dev’s expanded their TLS 1.3 implementation to support the broader acceptable parameters. Long story short it was a bug in the mail server, and not the phpmailer.