Authorize.net?is updating the SSL/TLS certificates used for secure communication with our systems. This change affects both browser-based and server-to-server interactions.?

Who is being affected: Merchants who utilize Authorize.net APIs and endpoint URLs in their websites or applications will need to make updates. They will need to integrate and use the newly-issued Root and Intermediate (CA) SSL certificates from DigiCert. This should be done before the scheduled revocation dates to avoid disruptions.

What you need to do:?You must integrate and use the newly-issued Root and Intermediate (CA) SSL certificates from DigiCert by October 24 to avoid any disruptions. To help you fight fraud, AFDS is automatically enabled on your account, which gives you access to many powerful fraud filters.

Is this something you need to do at the plugin level or something we need to address at the server level?

As these are production sites i had to get them back up and running asap, so i opened a conversation with the host who confirmed that nothing had changed their end. I updated certificates, made sure things were up to date and nothing worked. It was the same issue with over 10 sites.

I have ended up with another mailer, not sure if i can name it but it effectively does exactly the same as WP SMTP but works seamlessly when configured with the same settings.

The site is currently configured for SSL over port 587 and we force TLS with STARTTLS but i’m just flummoxed as to what has happened. Interestingly things are OK on a local install on a mac using local.wp so i’m not ruling out changes with the host quite yet… I snippet of the log here:

Error Log ---
SMTP Debug:
2024-08-24 17:56:36 Connection: opening to mail.[REDACTED].com:587, timeout=30, options=array()

2024-08-24 17:56:36 Connection: opened

2024-08-24 17:56:36 SERVER -> CLIENT: 220-[REDACTED].io ESMTP Exim 4.97.1 #2 Sat, 24 Aug 2024 18:56:36 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.

2024-08-24 17:56:36 CLIENT -> SERVER: EHLO [REDACTED].com

2024-08-24 17:56:36 SERVER -> CLIENT: 250-gin.hostns.io Hello gin.hostns.io [109.70.148.37]250-SIZE 52428800250-8BITMIME250-PIPELINING250-PIPECONNECT250-AUTH PLAIN LOGIN250-STARTTLS250 HELP

2024-08-24 17:56:36 CLIENT -> SERVER: STARTTLS

2024-08-24 17:56:36 SERVER -> CLIENT: 220 TLS go ahead

2024-08-24 17:56:36 Connection failed. Error #2: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [[REDACTED]PHPMailer/SMTP.php line 488]

SMTP Error: Could not connect to SMTP host. Connection failed. stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2024-08-24 17:56:36 CLIENT -> SERVER: QUIT

2024-08-24 17:56:36

2024-08-24 17:56:36

2024-08-24 17:56:36 Connection: closed

We are reaching out because there are TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account. As AWS is updating the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2 [1], you must take action as soon as possible for these connections to maintain their access to your S3 objects.

We are using Cloudflare with Minimum TLS Version 1.3 enabled.

Unfortunately, under the above condition, every time we run your SEO Analyzer, we get the following message: API Error: HTTP 400 Error. If we downgrade to Minimum TLS Version 1.2, everything works fine.

We followed your knowledge base instructions for addressing the above condition, but they did not help. Also, please know our website’s HTTP Return Status Code is 200 OK.

Please review and advise. A fix for the above condition is requested. All other plugins are working fine.

In short, we believe your code (server and/or plugin) needs to be updated to support TLS 1.3.

Thank you!

Does anybody know where to place the php program mailpoet_smtp_secure_connection_options_hook.php ?

Regards, Milo?

——————–

https://kb.mailpoet.com/article/193-tls-encryption-does-not-work

Issue

When trying to send a test message/newsletter using a custom SMTP method configured to use TLS encryption, you see the following error message: ” unable to connect with TLS encryption”.

Description

PHP 5.6 or newer forces  verification of the destination server’s authenticity. If, for some reason, the server uses an invalid (or self-signed) certificate or your PHP has an invalid/missing certificate authority bundle, the secure connection will fail.

Solution

In the case of the invalid/missing certificate authority, please ensure that you host has a properly configured PHP installation that uses a valid certificate authority bundle.

If you are still unable to connect, it is possible that the destination server is using a self-signed certificate, which is disallowed by default. In this case you can use a custom hook to configure the secure connection?(i.e.,? set SSL context options) and disable self-signed certificates and/or authenticity verification.



<?php



add_filter('mailpoet_mailer_smtp_options', 'mailpoet_secure_connection_options');



function mailpoet_secure_connection_options() {

return [

'ssl' => [

// description of available options can be found here: https://php.net/manual/en/context.ssl.php

'verify_peer' => false,

'verify_peer_name' => false,

'allow_self_signed' => true,

],

];

}

I am getting the following error under Site Health which is why REST API and loopback requests as well as scheduled events are failing:
cURL error 35: error:1408F10B:SSL routines:ssl3_get_record:wrong version number (http_request_failed)

It’s a fresh WordPress installation without any additional plugins or themes. I haven’t changed any of the settings.

This is my configuration:
### wp-core ###
version: 6.0.3
https_status: true
multisite: false

### wp-server ###
server_architecture: Linux 5.4.0-125-generic x86_64
httpd_software: Apache
php_version: 8.1.11 64bit
php_sapi: fpm-fcgi
max_input_variables: 1000
time_limit: 30
memory_limit: 128M
admin_memory_limit: 256M
max_input_time: 60
upload_max_filesize: 2M
php_post_max_size: 8M
curl_version: 7.68.0 OpenSSL/1.1.1f
suhosin: false
imagick_availability: false
pretty_permalinks: true
htaccess_extra_rules: false

### wp-database ###
extension: mysqli
server_version: 8.0.30-0ubuntu0.20.04.2
client_version: mysqlnd 8.1.11
max_allowed_packet: 67108864
max_connections: 151

### additional info ###
– virtual server created with Virtualmin
– database server is Localhost via UNIX socket, according to phpMyAdmin
– webserver runs on PHP-Version 7.4.32, according to phpMyAdmin
– collation is utf8mb4_german2_ci
– the error persists under PHP 7.4 and 8.0, too
– according to the server admin, upgrading cURL or OpenSSL isn’t “trivial”

Any Curl requests to https://smushpro.wpmudev.com/1.0/ failed on my website!

*   Trying 165.227.251.120:443...
* Connected to smushpro.wpmudev.com (165.227.251.120) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: E:\php\php-7.4.29-nts-Win32-vc15-x64\extras\ssl\cacert.pem
  CApath: none
* Operation timed out after 5008 milliseconds with 0 out of 0 bytes received
* Closing connection 0

cURL error number:28
cURL error:Operation timed out after 5004 milliseconds with 0 out of 0 bytes received

Array
(
    [url] => https://smushpro.wpmudev.com/1.0/
    [content_type] => 
    [http_code] => 0
    [header_size] => 0
    [request_size] => 0
    [filetime] => -1
    [ssl_verify_result] => 1
    [redirect_count] => 0
    [total_time] => 5.004788
    [namelookup_time] => 0.094297
    [connect_time] => 0.265778
    [pretransfer_time] => 0
    [size_upload] => 0
    [size_download] => 0
    [speed_download] => 0
    [speed_upload] => 0
    [download_content_length] => -1
    [upload_content_length] => -1
    [starttransfer_time] => 0
    [redirect_time] => 0
    [redirect_url] => 
    [primary_ip] => 165.227.251.120
    [certinfo] => Array
        (
        )

    [primary_port] => 443
    [local_ip] => 192.168.72.10
    [local_port] => 58949
    [http_version] => 0
    [protocol] => 2
    [ssl_verifyresult] => 0
    [scheme] => HTTPS
    [appconnect_time_us] => 0
    [connect_time_us] => 265778
    [namelookup_time_us] => 94297
    [pretransfer_time_us] => 0
    [redirect_time_us] => 0
    [starttransfer_time_us] => 0
    [total_time_us] => 5004788
)

We ran netsparker on our website and were able to address many of the problems reported with the plugin (thank you). There are two items though that we cannot seem to address, can you please confirm how we adjust:

1. TLS 1.1 is depreciated, we need to be on 1.2 at least, 1.3 preferred
2 Improve Ciphers to Strong Symmetric Ciphers

Thank you!

icedquick