MAGECLOUD-2521: Use TLS 1.2 #16
Conversation
|
|
|
@joanhe and/or @buskamuza can you review this pull request or assign it to someone who can, please? Thank you! :-) |
|
The discussion about the TLS version approval can be found in the Jira task here : https://magento2.atlassian.net/browse/MAGECLOUD-2521 |
|
Also, I should add this comment here since it is important: |
| STREAM_CRYPTO_METHOD_SSLv3_CLIENT, | ||
| STREAM_CRYPTO_METHOD_SSLv23_CLIENT, | ||
| STREAM_CRYPTO_METHOD_SSLv2_CLIENT | ||
| // TODO: Add STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT in the future when it is supported by PHP |
There was a problem hiding this comment.
Must we really force TLS 1.2 on the client side?
There was a problem hiding this comment.
The best response is to disable SSL entirely and migrate to a more modern encryption protocol, which at the time of publication is a minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2
@kandy , @piotrekkaminski agreed to TLS 1.2 for Magento 2.3.
As far as client vs server. I skimmed through PCI DSS and that PCI information supplement I've linked to above, and I haven't seen it make a distinction for different versions based on whether or not we are creating the TLS or receiving it. From what I can tell, it seems that PCI wants ALL TLS connects to be either TLS 1.1 or 1.2, but "strongly encourages" 1.2.
I'm not a lawyer, and I've only skimmed through the document, so if I am misinterpreting this, please let me know and we can make corrections.
| STREAM_CRYPTO_METHOD_SSLv3_CLIENT, | ||
| STREAM_CRYPTO_METHOD_SSLv23_CLIENT, | ||
| STREAM_CRYPTO_METHOD_SSLv2_CLIENT | ||
| // TODO: Add STREAM_CRYPTO_METHOD_TLSv1_3_CLIENT in the future when it is supported by PHP |
There was a problem hiding this comment.
Not supporting other old modes, is this approved by PO? Have you run build to make sure this is not causing any problem?
https://magento2.atlassian.net/browse/MAGECLOUD-2521
Since PHP version 5.6.7,
STREAM_CRYPTO_METHOD_TLS_CLIENTchanged to mean only TLS version 1.0. Our use of this constant has caused these TLS connections to no longer work in a world where TLS 1.0 and 1.1 are now disabled for most services.In this pull request, I have replaced the use of that constant with STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT . This will require version 1.2 of TLS.
(Note that currently PCI only supports version 1.2 of TLS. All other versions of TLS, and any version of SSL are required to be disabled by PCI.)
In the future, when TLS 1.3 is released, we will have to update this to also include STREAM_CRYPTO_METHOD_TLSv1_3._CLIENT
Testing/Verifying this patch:
Because I couldn't find an open or free TLS testing service, to test and verify this patch against SMTP, I made this phpunit file that can run to verify the functionality of this patch.
All it does is try to Spark Post Mail's SMTP server, which doesn't support TLS 1.0, so it requires this patch. It then tries to send an email, but fails, because I didn't want to put my real test account credentials in there. So the test verifies that it fails because of Authentication error instead of failing because of TLS error.
To run it, download this file and add it to the root of your cloud environment.
https://github.com/magento-cloud/magento-cloud-misc/blob/master/users/jacob/MAGECLOUD-2521/test-smtp-tls-sparkmail.php
Also, make sure to add php unit to your cloud environment by running this command.
composer require phpunit/phpunitThen add it all and push.
git add composer.lock composer.json test-smtp-tls-sparkmail.php ; git commit -m 'adding test for SMTP TLS' ; git pushOnce your cloud environment had redeployed, ssh into it and run
phpunit test-smtp-tls-sparkmail.phpIf you have the patch applied , it will succeed without failures. If you don't have this patch applied, it will fail.
Note that this test will not work with PHP 7.2, because in PHP 7.2, they switched the TLS constants again, so it will silently connect with TLS 1.2 when using PHP 7.2.
Note that this test only tests SMTP and does not test the other affected protocols, POP3, IMAP, and HTTP proxy adaptor.