ZF 1.12.18 TLS Error

Hello,

We have a problem with an old ZF server, it is 1.12.18 version running con RHEL 6.8.

Problem is when we want to send email through smtp.office365.com we get ERR (3) TASK [some_pid]: Retriable Exception: Unable to connect via TLS => address@domain

Credentials in application.ini file are ok because I can login by browser to office365.

Am I missing any certificate related issue?

I tried to change resources.mail.transport.ssl from TLS to TLSv1.2 and so on but didn’t work.
Any hints?

Hi there. ZF V1 is no longer supported but I’ll try to help. My guess is that Office365 is now requiring TLS 1.2 for the SMTP connection. I’m also assuming you’re using Zend_Mail with Zend_Mail_Protocol_Smtp. That implementation doesn’t connect via TLS 1.2 without modification. If my assumptions are correct, you may be able to solve this by extending Zend_Mail_Protocol_Smtp::helo to use the STREAM_CRYPTO_METHOD_ANY_CLIENT option instead of STREAM_CRYPTO_METHOD_TLS_CLIENT for the call to stream_socket_enable_crypto() function. To use that extension, you’ll also need to extend CG_Mail_Protocol_Smtp_Auth_Login. The fix is somewhat dependent on php version as I recall – the TLS options for stream_socket_enable_crypto() were adjusted in different versions. Here’s a gist of the solution that I used once upon a time (php7.1):

@marcguyer thanks for you reply, sadly it didn’t work.

As suggested, I did change form TLS to ANY in crypto method on Smtp.php
On Login.php didn’t change anything because it is the same.

By the way this machine has PHP 5.6.26, also, the stream_get_transports() function returns tls, tlsv1.0, tlsv1.1, tlsv1.2 among others, in case it is useful to know.

thanks again for your time to answer

I’ve updated my gist. There was at least one mistake there: the ssl option should be set to tls. Give that a try, if you’re still having trouble, post your code in a portable way so we can take a closer look. The changes to STREAM_CRYPTO_METHOD_* options were introduced in v5.6.0 and you’ve confirmed that that TLS1.2 is an available transport so you should be fine there. Did you confirm with Office365 that they’re now requiring TLS1.2? If not, you might be barking up the wrong tree.

Using 'ssl' => 'tls' and the STREAM_CRYPTO_METHOD_ANY_CLIENT option for stream_socket_enable_crypto() should enable your system to use the “best” available transport which is TLS1.2.

@marcguyer This is a gist with the relevant code, as far as I can see it is ok, maybe I’m missing something else?

https://gist.github.com/cotangente/e206783db50afa35029bce0d3c48166c

That all looks fine at a glance except that you don’t have any code there showing usage – e.g., actually sending the mail (like usage.php in my gist). Additionally, stating simply that it doesn’t work isn’t generally helpful. Showing your “usage” and any error messages available would be beneficial (check your php error log, too).

I did the research for you and found that MS is not removing earlier versions of TLS until June of this year:

So… the TLS version might not be the true problem you’re facing. In fact, it may not have anything to do with ZF at all but your unique server setup. I suggest testing a basic SMTP connection using TLS from your server. Something like this (assuming linux):

openssl s_client -starttls smtp -connect smtp.office365.com:587

The output of that contains a bunch of info about the certificate among other things but you should also see the TLS version in use on the connection near the bottom. Something like this:

...
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: BE3B00009A4DD8A55B354334847C2412732209DE1FF35794FBAD726E0C5B8D38
...

If you’re seeing 1.2 there, then your server is able to connect to your smtp via that TLS version. You can then test the complete process using telnet. You might follow this guide to help with that:

openssl hint was very helpfull I think, from server it returns:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported

SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384

Start Time: 1585324295
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)

Does bold highlight show local (server-side) problem?

I’m not familiar with this error. It appears that you may have confirmed that this isn’t a ZF issue at all. Perhaps you need to get the remote cert saved into your local trust store somehow. Or maybe your openssl doesn’t know where to look for the local trust store.

Did you get something like this at the end of the output from openssl?

---
250 SMTPUTF8

If so, continue the test to send a real email and see if it completes. If not, then you’ve got some googling to do – I wouldn’t be much help further.

Did you get something like this at the end of the output from openssl?
250 SMTPUTF

yes I do, every test ends like that.
I think it is openssl related issue.

I’m very appreciated for your help, thanks!

@marcguyer in deed it wasn’t FZ issue, but openssl issue and luckly I was able to solve it. For the sake of documentation:

( RHEL 6.8)
Copy certificate.crt issued by your hosting (in my case) to:

/etc/pki/ca-trust/source/anchors

Then execute:

update-ca-trust force-enable
update-ca-trust extract

Thanks again for you help!
Regards.