[Question] With TLS changes in April, do I need to change anything?
Closed this issue ยท 7 comments
Hi,
I recently received this email about TLS changes, I'm using version 2.11 in an old project - do I need to change anything except update the package version so Postmark continues to work after April?
Link from email
https://postmarkapp.com/updates/upcoming-tls-configuration-changes-for-api-users-action-may-be-required
Hi @mzzovko,
The package itself will continue to work without upgrading, though you will want to make sure your connection to Postmark is using TLSv1.1+.
The requirements to connect to Postmark after the TLS changes are:
- PHP version 5.5.19 or higher
- cURL version 7.34.0 or higher
- OpenSSL version 1.0.1 or higher
You can further test against our test API endpoint, this endpoint acts how our standard endpoint will work after the upgrade. You can do this by temporarily setting the BaseURL to point to the test endpoint, to validate your system works with these changes:
use Postmark\PostmarkClient;
use Postmark\PostmarkClientBase;
// Temporarily set the BaseURL globally to point to the test endpoint
PostmarkClientBase::$BASE_URL = "https://api-ssl-temp.postmarkapp.com";
$client = new PostmarkClient("<server token>");
Let me know if you have any questions on this!
@briankerr Regarding the cURL requirement you mentioned, I have a machine running with version 7.29.0 (according to PHP Info) that works fine with the new endpoint as shown in your code above. Is this expected?
cURL support => enabled
cURL Information => 7.29.0
Age => 3
Features
AsynchDNS => Yes
CharConv => No
Debug => No
GSS-Negotiate => Yes
IDN => Yes
IPv6 => Yes
krb4 => No
Largefile => Yes
libz => Yes
NTLM => Yes
NTLMWB => Yes
SPNEGO => No
SSL => Yes
SSPI => No
TLS-SRP => No
Protocols => dict, file, ftp, ftps, gopher, http, https, imap, imaps, ldap, ldaps, pop3, pop3s, rtsp, scp, sftp, smtp, smtps, telnet, tftp
Host => x86_64-redhat-linux-gnu
SSL Version => NSS/3.36
ZLib Version => 1.2.7
libSSH Version => libssh2/1.4.3
Directive => Local Value => Master Value
curl.cainfo => no value => no value
Here's the code used in case this helps anyone else test their setup...
<?php
include_once "./vendor/autoload.php"; // Adjust location as needed
use Postmark\PostmarkClient;
use Postmark\PostmarkClientBase;
PostmarkClientBase::$BASE_URL = "https://api-ssl-temp.postmarkapp.com";
try {
$client = new PostmarkClient("<your-api-token>");
$sendResult = $client->sendEmail("<your-verified-sender-address>",
"<your-recipient-address>",
"Hello from Postmark!",
"This is just a friendly 'hello' from your friends at Postmark.");
} catch(PostmarkException $ex) {
// If client is able to communicate with the API in a timely fashion,
// but the message data is invalid, or there's a server error,
// a PostmarkException can be thrown.
echo $ex->httpStatusCode, "\n";
echo $ex->message, "\n";
echo $ex->postmarkApiErrorCode, "\n";
} catch(Exception $generalException) {
// A general exception is thrown if the API
// was unreachable or times out.
echo $generalException->message, "\n";
}
echo "Done.\n\n";
Mostly taken from the postmark php wiki example here.
@briankerr Is there anything I can look for in the email headers (or even in the Postmark account dashboard activity log) to ensure that the received email was actually processed by the test endpoint? Might be useful for client assurance that their test sends are actually going through the intended endpoint.
@netcarver Hi Steve ๐ I'm checking with some colleagues on your questions (I want to make sure I have an accurate answer). After speaking with them, I'll follow-up with you (most likely, tomorrow, the 9th).
@briankerr Hi Brian, thanks for the follow-up. I checked in with one of your colleagues on the support team to see if our test emails were using TLS1.2 and it appears they were - however, we definitely are not meeting your quoted minimum install version for cURL.
@netcarver Hi Steve! Thank you for your patience.
cURL version 7.34.0 is the first version of cURL to default to TLSv1.2. So it is possible to use an older version of cURL, though those connections default to an older version of TLS "out of the box" if you will. I see you're using Red Hat and they've included a default for a higher version of TLS as part of the OS for 7.29. Since we've verified your connection is TLSv1.2, you're good here.
When it comes to finding the hostname endpoint you're using, since this is a rare type of cutover, we don't give visibility into this within our UI since we normally only have api.postmarkapp.com. If you were looking for additional assurances, you could use our custom metadata feature to pass which endpoint your API call is making to see that in our UI. Though I don't think this is necessary for your situation.
Thanks both @briankerr & @netcarver - I've tested it and it works ๐