Recently the 3rd party email service provider I was using made a change. They disabled support for TLS 1.0 and TLS 1.1.
I provide support for an ancient system that still uses php 5.3 and phpmailer 5.2.
My tests indicates that TLS 1.2 is enabled.
But, the PHPMailer code cannot connect to the email server after the disabling of TLS 1.0 and 1.1
Also, note that I am not a full time php expert.
Is there a way to make PHPMailer 5.2 use tls 1.2?
Look for constant STREAM_CRYPTO_METHOD_TLS_CLIENT in file class.smtp.php and update that to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
Like this:
public function startTLS()
{
if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
return false;
}
// Begin encrypted connection
if (!stream_socket_enable_crypto(
$this->smtp_conn,
true,
STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
)) {
return false;
}
return true;
}
You should run phpinfo() in a small php script on your server to make sure TLS 1.2 is available in the first place.
It's not up to PHPMailer, its up to the version of PHP that you're using to run it, so the solution is to update your PHP version. The major changes relating to TLS were largely in PHP 5.6, so upgrading to that would be a good intermediate point if you're really stuck with this legacy version.
Related
I need to check avalara TLS 1.2 compliance, But I didn't find any documentation
Could someone let me know the procedure to check compliance
TLS is part of JRE security settings not related with hybris. You can check your JRE security configuration. Up to date JRE distributions supporting TLS 1.2 and old versions already disabled.
You can checkyour configuration in hac via groovy script. For example my web page supporting TLS 1.2 and 1.3.
URL url = new URL("http://mkysoft.com/ip.php");
HttpURLConnection connection = (HttpURLConnection) url.openConnection();
InputStream is = connection.getInputStream();
return org.apache.commons.io.IOUtils.toString(is);
If you want to test other TLS/SSL/certificate/handshake options check https://badssl.com/ for alternative test endpoints.
When deploying a Corda 4.0 CorDapp to UAT, must the Jar be signed?
We have tried using devMode = true - which causes the node to recognize the flows in the CorDapp, but when we set devMode to false it seems the node is unable to recognize the CorDapp.
This could be because the JAR has been signed using the default development key. This is the case when devMode is set to true in your build.gradle.
If this is the case you need to add cordappSignerKeyFingerprintBlacklist=[] to the node.conf. If devMode=false, the Corda development key is blacklisted as it's completely insecure. This is suitable for PoC purposes only, NOT PRODUCTION.
The correct fix is to sign the app with a your 'own' key.
You can also switch off Jar signing when building the CorDapp by setting cordapp { signing { enabled false } } in the build.gradle, which should cause it not to be signed.
More information can be found here: https://docs.corda.net/cordapp-build-systems.html#signing-the-cordapp-jar
Our application hosted on Google App Engine Node.js (Flexible Environment). We are now under review of security inspection and failing on the issue that Google App Engine supports TLS 1.0 and 1.1 versions.
Is there a way to enforce the use of only TLS 1.2? And also block ciphers that are below 128 bit?
So I also came up against this problem...and found that GCP weren't that helpful. They'll helpfully restrict at a domain level if a support ticket is put forwards....which resolves the security concern...but you'll still get false positives which need explaining at every penetration test (the GAE shared IPs accept other version of TLS for other domains).
For a nice clean solution; use Cloudflare for your DNS. They essentially act as a middleman/web application firewall. Amongst other things (free certificates, WAF, DDOS mitigation, CDN, HTTPS force, HSTS etc etc etc), you're able to set the minimum TLS version as you wish. Mine is now minimum TLS 1.2, supporting TLS 1.3 if the browser accepts it. I've also essentially only got port 80/443 on GAE connected to cloudflare, with no public access at all, as all traffic goes through cloudflare first. Pretty neat - zero ports open to the public and a fully operations website! The pen test guys just scratched their heads and packed up.
Oh...and FYI - it's free for this level of configuration. Happy security testing ;-)
I can confirm that you can make a request to google support and it takes up to 4 weeks to make the change. Not sure why. Hopefully they can speed things up in the future. But alternatively you can handle this logic at the application layer (in middleware) rather than the network layer. See snippet below:
// using NODEJS + TYPESCRIPT
// disable tls 1.0 and 1.1 weak ciphers
this.app.use((req, res, next) => {
// const cipher = ((req.socket) as TLSSocket).getCipher()
const protocol = ((req.socket) as TLSSocket).getProtocol()
// console.log('cipher: ', cipher);
// output eg: { name: 'ECDHE-RSA-AES128-GCM-SHA256', version: 'TLSv1/SSLv3' }
console.log('protocol: ', protocol);
// output eg: TLSv1.2
if (protocol === 'TLSv1.2' || protocol === 'TLSv1.3') {
next();
} else {
res.status(426);
res.send('request requires TLSv1.2 or greater, please upgrade');
}
});
I've not tried this so I can't guarantee it would work, but it seems like you could use a HTTP(S) Load Balancer. The SSL policies are configurable such that it would likely meet the requirements of your security review.
I am working on a project which involves gathering some sensor data and build a GUI on it, with controlling of sensors. It has following two basic requirements.
Should be a web based solution (Although it will only be used on LAN or even same PC)
It should be executable on both windows IoT core and standard windows PC (Windows 7 and above)
I have decided to use Embedded webserver for Windows IoT, which seems to be a good embedded server based on PCL targeting .NET 4.5 and UWP. So I can execute it on both environments. That is great! But the problem is this web server doesn't support SSL, I have tried to search other servers and have come up with Restup for UWP, which is also a good REST based web server, but it also doesn't support SSL.
I needs an expert opinion, that if there is any possibility I can use SSL protocol in these web servers. Is it possible that it can be implemented using some libraries like OpenSSL etc? (Although I think that it would be too complex and much time taking to implement it correctly)
Edit
I would even like to know about ASP.NET core on Windows 10 IoT Core, if I can build an application for both windows. I found one example but it is DNXbased, and I don't want to follow this way, as DNX is deprecated.
Any help is highly appreciated.
Late answer, but .NET Core 2.0 looks promising with Kestrel. I successfully created a .Net Core 2.0 app on the PI 3 this morning. Pretty nifty and If you already have an Apache web server, you’re almost done. I’m actually going to embed (might not be the right term) my .Net Core 2.0 web application into a UWP app, rather than create multiple unique apps for the touchscreens around the house.
.Net Core 2.0 is still in preview though.
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel?tabs=aspnetcore2x
I know this post is pretty old, but I have built the solution which you are asking bout. I’m currently running .Net 5.0 on a Raspberry pi. When you build the .net core web project, select the correct target framework and the target runtime to win-arm. Copy the output some directory on the pi and you will have to access the device using powershell to create a scheduled task to start the web project. Something like this:
schtasks /create /tn "Startup Web" /tr c:\startup.bat /sc onstart /ru SYSTEM
That starts a bat file which runs a powershell command which has the following command:
Set-Location C:\apps\vradWebServer\ .\VradTrackerWeb.exe (the .\VradTrackerWeb.exe is on a second line in the file) - the name of the webapp.
That starts the server. If you have any web or apps posting to the webserver you will need an ssl cert. I used no-ip and let’s encrypt for this. For let’s encrypt to work, you will need an external facing web server and have the domain name point to it. Run let’s encrypt on the external server and then copy out the cert and place it in your web directory on the pi. I then have a uwp program that runs on the pi and when it starts, it gets it’s local address and then updates no-ip with the local address, so the local devices communicating will be correctly routed and have the ssl cert. Side note, my uwp app is the startup app on the device. The scheduled task is important because it allows you to run you app and the web server. The following snip is how I get the ip address and then update no-ip.
private string GetLocalIP()
{
string localIP = "";
using (Socket socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, 0))
{
socket.Connect("8.8.8.8", 65530);
IPEndPoint endPoint = socket.LocalEndPoint as IPEndPoint;
localIP = endPoint.Address.ToString();
}
return localIP;
}//GetLocalIP
private async void UpdateIP()
{
string localIP = "";
string msg = "";
var client = new HttpClient(new HttpClientHandler { Credentials = new NetworkCredential("YourUserName", "YourPassword") });
try
{
localIP = GetLocalIP();
string noipuri = "http://dynupdate.no-ip.com/nic/update?hostname=YourDoman.hopto.org&myip=" + localIP;
using (var response = await client.GetAsync(noipuri))
using (var content = response.Content)
{
msg= await content.ReadAsStringAsync();
}
if (msg.Contains("good") == true || msg.Contains("nochg")==true)
{
SentDynamicIP = true;
LastIPAddress = localIP;
}
else
{
SentDynamicIP = false;
}
}
catch(Exception ex)
{
string x = ex.Message;
}
finally
{
client.Dispose();
}
}//UpdateIP
I know the WebSockets are supported only on Windows 8 and higher. But sometimes you just can't upgrade the system in large organization. So I tried implement WebSockets on ASP.NET Core app.
I take NuGet package "AspNetCore.WebSockets.Server" and run as a self-hosted app on Windows 7 and everything works well. But hosting on IIS7.5 on the same machine wont allow me to upgrade HTTP connection to WebSocket. Even if I try to simulate the handshake the IIS simple removes my "Sec-WebSocket-Accept" header.
static async Task Acceptor(HttpContext hc, Func<Task> next)
{
StringValues secWebSocketKey;
if(hc.Request.Headers.TryGetValue("Sec-WebSocket-Key", out secWebSocketKey))
{
hc.Response.StatusCode = 101;
hc.Response.Headers.Clear();
hc.Response.Headers.Add("Upgrade", new StringValues("websocket"));
hc.Response.Headers.Add("Connection", new StringValues("Upgrade"));
// Disappears on client
hc.Response.Headers.Add("Sec-WebSocket-Accept", new StringValues(GetSecWebSocketAccept(secWebSocketKey[0])));
}
await next();
}
I definitely sure IIS7.5 physically can manage WebSockets if they was implemented by developer and that behavior (header removal) looks like a dirty trick from Microsoft
I am afraid you need IIS 8
With the release of Windows Server 2012 and Windows 8, Internet
Information Services (IIS) 8.0 has added support for the WebSocket
Protocol.
https://www.iis.net/learn/get-started/whats-new-in-iis-8/iis-80-websocket-protocol-support
The new http.sys is the one that can turn a regular HTTP connection into a binary communication for websockets. Although you can implement your own thing, you cannot hook it into http.sys.