[BlueOnyx:23919] Re: 5209R Update: Disabled TLSv1.1 for Apache

[Brent Epp]

Hi Michael,

My apologies; you can probably disregard this, I misread the date on 
your email and these failures we're experiencing only began recently.

  - Brent

On 2020-05-30 12:04, Brent Epp wrote:
> Hi Michael,
>
> Since this update, we seem to be having a problem with a PHP SMTP 
> library (swiftmailer) that we're using for a number of sites. I've 
> updated the library to the version that provides TLSv1.2 support, the 
> the failure persists: "Swift_TransportException: Unable to connect 
> with TLS encryption"
>
> I've also tried the latest version of swiftmailer with PHP 7.3.17, 
> which results in the same error.
>
> The one last thing I've tried is tweaking the library to force the TLS 
> version to 1.2 ... same error.
>
> Is there something else I need to adjust within apache to make this work?
>
> Thanks
>  - Brent
>
> On 2020-02-19 10:49, Michael Stauber wrote:
>> Hi all,
>>
>> Well, it's now the year 2020 (still no flying cars or hover-boards!), so
>> it's time to retire the TLSv1.1 protocol from Apache.
>>
>> To that end an updated base-apache-* has been released for 5209R, where
>> it was still available as a fallback.
>>
>> As the OpenSSL on 5209R is too old to support TLSv1.3 we had introduced
>> Nginx as SSL-proxy, as our custom built Nginx is statically compiled
>> against a newer OpenSSL that allows us to provide TLSv1.3 and HTTP/2
>> functionality.
>>
>> The benefits and usage of the Nginx SSL-proxy are explained here - in
>> case you're wondering what that is and how to make use of it:
>>
>> https://www.blueonyx.it/5209r-nginx-ssl-proxy
>>
>> In case someone wonders what SSL protocols the different versions of
>> BlueOnyx support in Apache, here is a small list:
>>
>> BlueOnyx 5210R: Both Apache & Nginx: TLSv1.3 with TLSv1.2 as a fallback
>>
>> BlueOnyx 5209R: Apache: TLSv1.2, Nginx: TLSv1.3 with TLSv1.2 as fallback
>>
>> BlueOnyx 5207R/5208R: Apache: TLSv1.2 only
>>
>