[Tickets #14190] PHP 5.6 and IMAP/SMTP connection with TLSv1.2 not working

noreply at bugs.horde.org noreply at bugs.horde.org
Sat Dec 12 04:29:50 UTC 2015 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: https://bugs.horde.org/ticket/14190
------------------------------------------------------------------------------
  Ticket             | 14190
  Created By         | john.kramer at neys.org
  Summary            | PHP 5.6 and IMAP/SMTP connection with TLSv1.2 not
                     | working
  Queue              | Horde Framework Packages
  Type               | Bug
  State              | Unconfirmed
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


john.kramer at neys.org (2015-12-12 04:29) wrote:

With PHP 5.6 connections to IMAP or SMTP servers can not be secured  
with TLSv1.2. Setting 'secure' => 'tls' just leads to TLSv1.0.

STREAM_CRYPTO_METHOD_TLS_CLIENT is the source of the problem. As  
https://wiki.php.net/rfc/improved-tls-defaults states under "Stream  
Wrapper Creep":
> Beyond the ?creep? of new stream wrappers there also exists a  
> consistency problem. Do all users understand that the ssl wrapper  
> technically can negotiate any of the supported protocols? Do they  
> know that in contrast the tls wrapper will only negotiate TLSv1 and  
> not the newer TLS iterations?
[SNIP]
[SNIP]
>  Existing Constant Re-Valuing
>
> The existing constants are internally re-valued as shown below to  
> allow their use as bitwise flags. Because the existing code  
> delineates between clients and servers the least significant bit is  
> used to differentiate between the two stream types.
[SNIP]
> STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) |  
> 1), /* Any TLS protocol */
[SNIP]

It seems there is a bug/feature?  
http://grokbase.com/t/php/php-bugs/1541c7f5jy/php-bug-bug-69345-new-tls-wrapper-disables-tls-1-1

Hard coding STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT or  
STREAM_CRYPTO_METHOD_SSLv23_CLIENT in Horde/Socket/Client.php upgrades  
the imap/smtp connections to TLSv1.2.

Since this exists as of PHP 5.5 I guess it will not change soon. Is  
there a chance to make Horde/Socket/Client.php capable of recognizing  
the PHP version or just trying newer protocols first?

Maybe something like this (https://github.com/pear/Net_SMTP/pull/22)  
can solve the problem.

More information to the problem:  
http://lists.horde.org/archives/imp/Week-of-Mon-20151207/057059.html

More information about the bugs mailing list