Forum

Monitor Default SSL Settings use Outdated TLS

Jordan
1 February 2017, 06:48
Hey Hugo,

Line 274 of libraries/http.php -- a part of banshee, I believe -- defaults to using

if (stream_socket_enable_crypto($sock, true, STREAM_CRYPTO_METHOD_TLS_CLIENT) == false) { ...


Which, under php 5.4, fails if my server is set up to disallow TLS v1.0 (which it is, since TLS v1.0 is "obsolete"). My server is in fact set up to only use TLS v1.2. So, to fix this, as a stopgap, I had to do two things:

* Change STREAM_CRYPTO_METHOD_TLS_CLIENT to STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT
* Update PHP to 5.6, because in 5.4 the STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT constant was not defined and was interpreted as a literal string (which was useless)

Perhaps Banshee can be updated to be made robust against a server configuration disallowing older versions of the TLS protocol?
Hugo Leisink
1 February 2017, 08:18
Thanks. I've updated the code for the 6.0 release, which will soon come.
Jordan
2 February 2017, 19:44
Thanks, Hugo!
This topic has been closed.