PHRAS-3900 Check TLS version use for email SMTP sending - TLS 1.0 of …

…1.1 deprecation (#4382) * swift tls 1.2 * add tls 1.1 and 1.2 option * tlsv1.2 by default
alchemy-fr · Oct 30, 2023 · ebe9153 · ebe9153
1 parent 2c81981
commit ebe9153
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 5 deletions.
diff --git a/lib/Alchemy/Phrasea/Application.php b/lib/Alchemy/Phrasea/Application.php
@@ -687,9 +687,20 @@ private function setupSwiftMailer()
                 );
 
                 $encryption = null;
-
-                if (in_array($app['conf']->get(['registry', 'email', 'smtp-secure-mode']), ['ssl', 'tls'])) {
-                    $encryption = $app['conf']->get(['registry', 'email', 'smtp-secure-mode']);
+                $secureMode = '';
+
+                if (in_array($app['conf']->get(['registry', 'email', 'smtp-secure-mode']), ['ssl', 'tls', 'tlsv1.1', 'tlsv1.2'])) {
+                    $secureMode = $app['conf']->get(['registry', 'email', 'smtp-secure-mode']);
+
+                    if ($secureMode == 'ssl') {
+                        $encryption = 'ssl';
+                    } else {
+                        $encryption = 'tls';
+                        if ($secureMode == 'tls') {
+                            // by default use tlsv1.2
+                            $secureMode = 'tlsv1.2';
+                        }
+                    }
                 }
 
                 $options = $app['swiftmailer.options'] = array_replace([
@@ -706,6 +717,10 @@ private function setupSwiftMailer()
                 // tls or ssl
                 $transport->setEncryption($options['encryption']);
 
+                if ($options['encryption'] == 'tls') {
+                    $transport->setStreamOptions(['ssl' =>[$secureMode => true]]);
+                }
+
                 if ($app['conf']->get(['registry', 'email', 'smtp-auth-enabled'])) {
                     $transport->setUsername($options['username']);
                     $transport->setPassword($options['password']);

diff --git a/lib/Alchemy/Phrasea/Core/Configuration/RegistryFormManipulator.php b/lib/Alchemy/Phrasea/Core/Configuration/RegistryFormManipulator.php
@@ -178,7 +178,7 @@ private function getDefaultData(array $config)
                 'smtp-auth-enabled' => false,
                 'smtp-host' => null,
                 'smtp-port' => null,
-                'smtp-secure-mode' => 'tls',
+                'smtp-secure-mode' => 'tlsv1.2',
                 'smtp-user' => null,
                 'smtp-password' => isset($config['email']['smtp-password']) ? $config['email']['smtp-password'] : null,
             ],

diff --git a/lib/Alchemy/Phrasea/Form/Configuration/EmailFormType.php b/lib/Alchemy/Phrasea/Form/Configuration/EmailFormType.php
@@ -42,7 +42,7 @@ public function buildForm(FormBuilderInterface $builder, array $options)
         ]);
         $builder->add('smtp-secure-mode', ChoiceType::class, [
             'label'        => 'SMTP encryption',
-            'choices'      => ['none' => 'None', 'ssl' => 'SSL', 'tls' => 'TLS'],
+            'choices'      => ['none' => 'None', 'ssl' => 'SSL', 'tlsv1.1' => 'TLSV1.1', 'tlsv1.2' => 'TLSV1.2'],
         ]);
         $builder->add('smtp-user', TextType::class, [
             'label'        => 'SMTP user',