Warning: TLS library problem when trying to send mail from PHPMailer after upgrade

After upgrading to 0.44 from a very old version (0.28), my web applications (running on a separate server) can no longer establish an SMTP connection to my MiaB server. It seems to be an issue around versions of TLS, or possibly specific ciphers missing on the client. My mail.log shows the following:

The error line appears to be:

warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1655:

My web server is fairly out of date, but it does appear to be running a version of openssl that should support TLS1.2. The specific configuration is:

Ubuntu 16.04.2
OpenSSL 1.0.2g
PHP 7.0.33

I would try upgrading OpenSSL and PHP on the client machine, but I don’t want to risk breaking my production server right now if possible. Is there a way I can temporarily modify MiaB to fallback to an older version of TLS and see if this fixes the problem?

In general, it is a bad idea to use PHP for SMTP. You would be better off using something like Postfix, nullmailer, or any sendmail compliant MTA, and the PHP application should be using mail(), which calls sendmail (i.e., any sendmail complian MTA).

This would be my first suggestion … as the version you are running is EoL as of last December.

Yup, definitely what I need to do soon. But I don’t want to risk a cascade of dependency failures (openssl -> php -> our application, for example) on my live server when we are nowhere near ready to fully upgrade our application.

As a temporary patch until we can prepare our upgrade, I’ve made the following changes in MiaB to allow TLS1 and TLS1.1:

Edit /etc/postfix/main.cf:

Change the smtpd_tls_mandatory_protocols and smtp_tls_mandatory_protocols to:

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3

Comment out the mandatory_ciphers settings:

#smtpd_tls_mandatory_ciphers=high
#smtp_tls_mandatory_ciphers=high

Save and restart postfix:

sudo /etc/init.d/postfix restart

These changes will not persist after any further updates to MiaB, so it’s important to regard this as a temporary stopgap solution.

Do you mean because I’m creating a tight coupling between my PHP configuration and my MTA configuration (since they are the same)?

PHP SMTP support has always been problematic. It will continue to give you headaches unless you have a local relay.

Postfix or nullmailer are very easy to configure. You do it once and it’s generally done forever.

If you want to see what your version of openssl supports, which I believe includes TLS v1.2:

$ openssl ciphers -v | awk '{print $2}' | sort | uniq

You can also see the ciphers for TLS v1.2:

$ openssl ciphers -tls1_2

Yup, my version of openssl says that it supports up through TLS 1.3. It was almost certainly a cipher issue :unamused:

It’s also possible there is a problem with how PHP is trying to send the mail.

I used nullmailer for a very long time before giving in and making a plain-old postfix transcational MTA on my web server.

http://untroubled.org/nullmailer/

1 Like

Speaking as the maintainer of PHPMailer, it’s generally preferable to send from PHP using SMTP (though you should still use a local relay) as opposed to using PHP’s built-in mail() function, which is inherently unsafe, slower, and harder to debug problems with.

For your particular problem, I’d say it is down to the TLS library linked to your PHP instance.

Speaking as a former user of PHPMailer, I was unable to get it to send anything other than in the clear, so I gave up using it and assumed it to be insecure.

Next time fix your server instead.

Mighty broad assumption, no?