cypht icon indicating copy to clipboard operation
cypht copied to clipboard

Published 20 hours ago verified publisher icon cypht-org

TLS 1.0 usage hardcoded (crypto_type option in stream_socket_enable_crypto calls)

Open jmce opened this issue 7 years ago • 2 comments

In

  • modules/imap/hm-imap.php
  • modules/pop3/hm-pop3.php
  • modules/smtp/hm-smtp.php

stream_socket_enable_crypto() is called with STREAM_CRYPTO_METHOD_TLS_CLIENT as crypto_type. According to a note in http://php.net/manual/en/function.stream-socket-enable-crypto.php this restricts communication to TLS 1.0 (since PHP version 5.6.7) — thus failing to connect to servers already not supporting TLS 1.0.

I noticed this by configuring cypht to connect to dovecot (IMAP, port 143) and postfix (SMTP 'submission', port 587) using STARTTLS. No problem on IMAP (by then dovecot was set up to refuse SSLv2 & SSLv3 only), but postfix was already configured to only accept TLS 1.2 on submission. As a result, cypht was unable to send email, with postfix log entries like

… postfix/submission/smtpd[20038]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

My quick fix (just having to support local connections) was to replace STREAM_CRYPTO_METHOD_TLS_CLIENT with STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT. For general use I suppose the ORing suggested in http://php.net/manual/en/function.stream-socket-enable-crypto.php would be the way to go, but it would be even nicer for cypht to allow configuring this separately for each connection (.ini file for main connections, user web interface for additional ones).

Version info:

cypht master.zip files from 2016-10-12 14:48:18 +0000 on Debian Jessie [8.6] with

  • nginx-… 1.9.10-1~bpo8+3
  • php5-… 5.6.26+dfsg-0+deb8u1 (using php5-fpm)
  • postfix-… 2.11.3-1
  • dovecot-… 1:2.2.24-1~bpo8+1
  • openssl-… 1.0.2j-1~bpo8+1
  • libssl1.0.0 1.0.2j-1~bpo8+1

jmce avatar Oct 15 '16 06:10 jmce

For now I implemented the suggested work around from the php.net comment. Seems like a reasonable work around until I can come up with some custom options. Putting some optional stuff in the ini file for this that falls back to the default makes sense. I'm not super keen on adding it to the UI, but we already have some confusion about TLS vs STARTTLS so maybe I need to revisit that anyway.

Thanks for the great feedback!

jasonmunro avatar Oct 17 '16 20:10 jasonmunro