[ci skip] If possible, always negotiate for TLS 1.0, TLS 1.1, TLS 1.2 for SMTP connections in CI_Email

author: Andrey Andreev <narf@devilix.net> 2018-01-22 09:54:10 +0100
committer: Andrey Andreev <narf@devilix.net> 2018-01-22 09:54:10 +0100
commit: 329dd039a211ed7634b45e2c908f7dc375b806a2 (patch)
tree: 050790469bdca2df213ddf49e75b9d873ebaa5f5 /system/libraries/Email.php
parent: 221c09588be796ba352683cd7814af33501d4fa6 (diff)
1 files changed, 13 insertions, 1 deletions
diff --git a/system/libraries/Email.php b/system/libraries/Email.php
index 967a0019a..71740ee5e 100644
--- a/system/libraries/Email.php
+++ b/system/libraries/Email.php
@@ -2074,7 +2074,19 @@ class CI_Email {
 			$this->_send_command('hello');
 			$this->_send_command('starttls');
 
-			$crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+			/**
+			 * STREAM_CRYPTO_METHOD_TLS_CLIENT is quite the mess ...
+			 *
+			 * - On PHP <5.6 it doesn't even mean TLS, but SSL 2.0, and there's no option to use actual TLS
+			 * - On PHP 5.6.0-5.6.6, >=7.2 it means negotiation with any of TLS 1.0, 1.1, 1.2
+			 * - On PHP 5.6.7-7.1.* it means only TLS 1.0
+			 *
+			 * We want the negotiation, so we'll force it below ...
+			 */
+			$method = is_php('5.6')
+				? STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT | STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
+				: STREAM_CRYPTO_METHOD_TLS_CLIENT;
+			$crypto = stream_socket_enable_crypto($this->_smtp_connect, TRUE, $method);
 
 			if ($crypto !== TRUE)
 			{
author	Andrey Andreev <narf@devilix.net>	2018-01-22 09:54:10 +0100
committer	Andrey Andreev <narf@devilix.net>	2018-01-22 09:54:10 +0100
commit	329dd039a211ed7634b45e2c908f7dc375b806a2 (patch)
tree	050790469bdca2df213ddf49e75b9d873ebaa5f5 /system/libraries/Email.php
parent	221c09588be796ba352683cd7814af33501d4fa6 (diff)