I have received an email stating that our servers need be updated to use TLS 1.2 when sending emails to Amazon SES via SMTP. I have looked into the servers mentioned and all layers involved appear to support TLS 1.2. Please see details below:
Ubuntu 16.04.3 LTS
OpenSSL 1.0.2g
PHP 7.1
Laravel 5.5
Swiftmailer v6.0
Sendmail 8.15.2
All of the above support TLS 1.2 so I'm not sure why SES is reporting a TLS 1.0/1.1 handshake.
I am monitoring TLS < 1.2 connections with TCPdump using the following command:
$ tcpdump "tcp port 587 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+9] = 0x03) && ( (tcp[((tcp[12] & 0xf0) >>2)+10] = 0x01) || (tcp[((tcp[12] & 0xf0) >>2)+10] = 0x02))" -X
And get this as part of the result:
"0x0050: e941 7b4f a11f 3444 4f57 4e47 5244 0020 .A{O..4DOWNGRD.."
I am assuming DOWNGRD must mean reverting back to 1.1 or 1.0.
However running:
$ openssl s_client -crlf -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:587 -tls1_2
Does result in:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECD........
So it appears I am able to make a connection directly.
Could anybody advise on why this is happening or suggest any commands to help identify the issue?
https://github.com/laravel/framework/discussions/41075#discussioncomment-7499514
Instead of using tls I switched to SSL as mentioned in the comment above and it worked!