Peer certificate not verified with IMAP-STARTTLS?

[ccpp]

trafficstars

Can you explain why you do not per default validate the IMAP peer certificate in STARTTLS mode? To me this looks like a bad practice solution to SSL errors (as they are often found as "accepted answers" on stack overflow or similar.)

https://github.com/kartolo/direct_mail/blob/99858ef6e6ad53fda0112373b1303c50d46cf9c9/Resources/Private/Php/Fetch/src/Fetch/Server.php#L134

[kartolo]

the Fetch library is coming from tedious/Fetch and is used as it is. See: https://github.com/tedious/Fetch/blob/master/src/Fetch/Server.php#L134

Do you see the necessity for the user to set the flag manually? See IMAP Flag.

[ccpp]

Hi, thank you for the hint, I did not see you are using hat library, see the upstream issue https://github.com/tedious/Fetch/issues/218.

No, I do not see necessity for setting it manually, but I'd go a step ahead and re-set the validate-cert flag without question. Then, for the case that connection establishment fails due to certificate validation, direct_mail should recommend adding peer (issuer) certificate for validation. That would be the way to solve these security issues without decreasing security.

[responseinformationsdesign]

I think there should be a possibility to set such flags (/ssl/novalidate-cert f. e.) in the planner task.

[ccpp]

@responseinformationsdesign that would be OK, but only when there is a note that this is highly insecure, and that there are better solutions to such issues, e.g. updating ca certificates on OS level. And, by default that flag should be off