TLS 1.2 Action Required Notification

Hi,

We have received an email stating that action is required to update our TLS connections. The emails identifies that there are SES connections via SMTP and lists 2 IP addresses for our EC2 Instances. I have looked into both of the servers mentioned and all layers involved appear to support TLS 1.2. Please see details below:

Ubuntu 16.04.3 LTS
OpenSSL 1.0.2g
PHP 7.1
Swiftmailer v6.0

All of the above support TLS 1.2 so I'm not sure why SES is reporting a TLS 1.0/1.1 handshake. Could anybody advise on why this is happening or suggest any commands to help identify the issue?

Many Thanks.

Topics

Compute Front-End Web & Mobile Business Applications Internet of Things (IoT)

Tags

Amazon EC2 Amazon Simple Email Service Transport Layer Security (TLS)Linux

Language

English

Steve

asked 7 months ago533 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hi,

Its's great that you have the libraries at the right level but you may also need to do some (minor) changes in your application code to use it instead of previous versions.

See https://onelinerhub.com/php-swiftmailer/how-to-use-tls-1.2-with-swiftmailer. for the details.

Best,

Didier

EXPERT

Didier_Durand

answered 7 months ago

Steve
7 months ago
Hi,

Thanks for the suggestion but that didn't seem to work. I am monitoring TLS < 1.2 connections with TCPdump using the following command:

$ tcpdump "tcp port 587 and (tcp[((tcp[12] & 0xf0) >>2)] = 0x16) && (tcp[((tcp[12] & 0xf0) >>2)+9] = 0x03) && ( (tcp[((tcp[12] & 0xf0) >>2)+10] = 0x01) || (tcp[((tcp[12] & 0xf0) >>2)+10] = 0x02))" -X

And get this as part of the result after adding the additional config:

"0x0050: e941 7b4f a11f 3444 4f57 4e47 5244 0020 .A{O..4DOWNGRD.. 0x0060: d150 dc04 43ad 2d79 2e81 3660 4536 7213 .P..C.-y..6`E6r."

I am assuming DOWNGRD must mean reverting back to 1.1 or 1.0.

However running:

$ openssl s_client -crlf -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:587 -tls1_2

Does result in:

" ..... SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE....... "

So it appears I am able to make a connection directly...

Relevant content

[ACTION REQUIRED] - Update your TLS connections to 1.2 to maintain AWS endpoint connectivity [AWS Account: 926257648248]
rePost-User-7366838
asked 2 years ago
SES: Update TLS connections to 1.2 to maintain AWS connectivity
Stephanie
asked 9 months ago
Amazon SES + Sendy - TLS 1.2 AWS API endpoints update required
Voltaki
asked a year ago
Update TLS connections to 1.2 for SES using SMTP
Juan
asked 10 months ago
How do I resolve the error "SMTP server requires a secure connection or the client is not authenticated. The server response was: Authentication required" while sending an email through SES?
AWS OFFICIALUpdated a year ago
Why don't the emails that I send through Amazon SES get delivered?
AWS OFFICIALUpdated 5 months ago
How can I use Amazon SES to receive inbound emails, and then store those emails on Amazon S3?
AWS OFFICIALUpdated a year ago
How do I troubleshoot SMTP connectivity or timeout issues with Amazon SES?
AWS OFFICIALUpdated 2 years ago
How do I find the SMTP clients using deprecated TLS versions?
EXPERT
Jonathan_D
published 6 months ago
Announcement: RDS/Aurora SSL/TLS Certificates are expiring between May and October 2024
EXPERT
randyyoung
published 2 months ago