[imp] IMAP and SMTP with TLSv1.2

Jan Schneider jan at horde.org
Fri Dec 11 08:37:44 UTC 2015 

Zitat von John Kramer <john.kramer at neys.org>:

> On 09.12.15 18:19, Jan Schneider wrote:
>>
>> Zitat von John Kramer <john.kramer at neys.org>:
>>
>>> Hello list,
>>>
>>> I use Horde Webmail 5.2.10. At the moment I can connect to IMAP via
>>> port 143 with tls and SMTP via port 587 with tls. This is part of the
>>> backends.local.php:
>>> [snip]
>>>    'protocol' => 'imap',
>>>    'port' => 143,
>>>    'secure' => 'tls',
>>>    'smtp' => array(
>>>        'auth' => true,
>>>        'port' => 587,
>>>    ),
>>> [/snip]
>>>
>>> How can I upgrade the transport security from TLSv1.0 to TLSv1.2?
>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>> connections. PHP 5.6 and OpenSSL 1.0.1 should be capable of TLSv1.1+.
>>> Are there any ideas?
>>>
>>> I use the following software:
>>> PHP 5.6.14
>>> OpenSSL 1.0.1p
>>> Horde Webmail 5.2.10
>>> Imp 6.2.10
>>> Horde_Imap_Client 2.29.3
>>> Horde_Mail 2.6.2_1
>>> Horde_Smtp 1.9.1
>>>
>>> Thanks in advance!
>>>
>>> John
>>> --
>>> imp mailing list
>>> Frequently Asked Questions: http://wiki.horde.org/FAQ
>>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>
>> You need to enable 1.2 on the IMAP and SMTP server. PHP will use it
>> automatically.
>>
>
> Hello Jan,
>
> thanks for your reply. I am sorry. I guess, my statement was a bit cloudy:
>
> TLSv1.2 is working fine with other servers (smtp) and every client  
> (submission and imap) I have seen so far in the logs e.g.  
> thunderbird, but:
>
>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde connections.
>
> Horde is always trying TLSv1.0, nothing else and I do not have a  
> clue where the problem could be. PHP or OpenSSL or the horde/imp  
> libraries do not want to play with it. I am almost sure it has  
> nothing to do with openssl, because I think PHP, cyrus-imap and  
> postfix are linked to the same openssl libraries.
>
> Any ideas?

All Horde libraries that work on sockets use \Horde\Socket\Client  
behind the scenes. And this in return uses PHP's  
stream_socket_enable_crypto() with the STREAM_CRYPTO_METHOD_TLS_CLIENT  
flag. That should allow any TLS version, and automatically picking the  
highest available version.
You may be hitting https://bugs.php.net/bug.php?id=65329

-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the imp mailing list