-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need option to disable TLS 1.0 and 1.1 and enable TLS 1.3 #2856
Comments
That's not what that code does. The PHPMailer config does not disable TLSv1.3. Bear in mind that PHPMailer is a client, not a server, so if you connect to server that support 1.3, it will use 1.3 (assuming your PHP version supports it). It's not in a position to dictate what versions a server supports. |
What I mean is, I want PHPMailer to fail if the supplied SMTP server does not support TLS 1.2 or 1.3. I would rather have an error than have it continue with an insecure TLS version. |
You may be able to do that by passing a $mail->SMTPOptions = [
'ssl' => [
'crypto_method' => STREAM_CRYPTO_METHOD_TLS_CLIENT ^ STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT ^ STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT,
],
]; Failing that, you can achieve it by injecting a subclass of the SMTP class which overrides that method and sets the same settings directly. |
OK, that's an option, thank you. There's still the question of whether or not PHPMailer should allow TLS 1.3 by default. As far as I can tell, if
|
This is not true. PHPMailer does not need to set that flag because it's already included in The reason that we have to do any twiddling with these constants at all is because prior to PHP 7.2, their definitions were a bit of mess. |
Ah, I didn't know that the meaning of |
SMTP.php currently has the following code:
For security reasons, I need to be able to disable TLS 1.0 and 1.1 and enable TLS 1.3. Unfortunately, PHPMailer is hardcoded to accept TLS 1.0 through 1.2 and reject TLS 1.3.
The text was updated successfully, but these errors were encountered: