[imp] IMAP and SMTP with TLSv1.2

John Kramer john.kramer at neys.org
Fri Dec 11 15:52:38 UTC 2015 

On 11.12.2015 09:37, Jan Schneider wrote:
>
> Zitat von John Kramer <john.kramer at neys.org>:
>
>> On 09.12.15 18:19, Jan Schneider wrote:
>>>
>>> Zitat von John Kramer <john.kramer at neys.org>:
>>>
>>>> Hello list,
>>>>
>>>> I use Horde Webmail 5.2.10. At the moment I can connect to IMAP via
>>>> port 143 with tls and SMTP via port 587 with tls. This is part of the
>>>> backends.local.php:
>>>> [snip]
>>>>    'protocol' => 'imap',
>>>>    'port' => 143,
>>>>    'secure' => 'tls',
>>>>    'smtp' => array(
>>>>        'auth' => true,
>>>>        'port' => 587,
>>>>    ),
>>>> [/snip]
>>>>
>>>> How can I upgrade the transport security from TLSv1.0 to TLSv1.2?
>>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>>> connections. PHP 5.6 and OpenSSL 1.0.1 should be capable of TLSv1.1+.
>>>> Are there any ideas?
>>>>
>>>> I use the following software:
>>>> PHP 5.6.14
>>>> OpenSSL 1.0.1p
>>>> Horde Webmail 5.2.10
>>>> Imp 6.2.10
>>>> Horde_Imap_Client 2.29.3
>>>> Horde_Mail 2.6.2_1
>>>> Horde_Smtp 1.9.1
>>>>
>>>> Thanks in advance!
>>>>
>>>> John
>>>> --
>>>> imp mailing list
>>>> Frequently Asked Questions: http://wiki.horde.org/FAQ
>>>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>>
>>> You need to enable 1.2 on the IMAP and SMTP server. PHP will use it
>>> automatically.
>>>
>>
>> Hello Jan,
>>
>> thanks for your reply. I am sorry. I guess, my statement was a bit
>> cloudy:
>>
>> TLSv1.2 is working fine with other servers (smtp) and every client
>> (submission and imap) I have seen so far in the logs e.g. thunderbird,
>> but:
>>
>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>> connections.
>>
>> Horde is always trying TLSv1.0, nothing else and I do not have a clue
>> where the problem could be. PHP or OpenSSL or the horde/imp libraries
>> do not want to play with it. I am almost sure it has nothing to do
>> with openssl, because I think PHP, cyrus-imap and postfix are linked
>> to the same openssl libraries.
>>
>> Any ideas?
>
> All Horde libraries that work on sockets use \Horde\Socket\Client behind
> the scenes. And this in return uses PHP's stream_socket_enable_crypto()
> with the STREAM_CRYPTO_METHOD_TLS_CLIENT flag. That should allow any TLS
> version, and automatically picking the highest available version.
> You may be hitting https://bugs.php.net/bug.php?id=65329
>

Hello Jan,

thanks for the link to the bug report. I didn't found it on my research.

STREAM_CRYPTO_METHOD_TLS_CLIENT is the source of the problem with PHP 
5.6. As https://wiki.php.net/rfc/improved-tls-defaults states under 
"Stream Wrapper Creep":
> Beyond the “creep” of new stream wrappers there also exists a consistency problem. Do all users understand that the ssl wrapper technically can negotiate any of the supported protocols? Do they know that in contrast the tls wrapper will only negotiate TLSv1 and not the newer TLS iterations?
[SNIP]
[SNIP]
>  Existing Constant Re-Valuing
>
> The existing constants are internally re-valued as shown below to allow their use as bitwise flags. Because the existing code delineates between clients and servers the least significant bit is used to differentiate between the two stream types.
[SNIP]
 > STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) | 
1), /* Any TLS protocol */
[SNIP]

It seems there is a bug/feature? 
http://grokbase.com/t/php/php-bugs/1541c7f5jy/php-bug-bug-69345-new-tls-wrapper-disables-tls-1-1

Hard coding STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT or 
STREAM_CRYPTO_METHOD_SSLv23_CLIENT in Horde/Socket/Client.php upgrades 
the imap/smtp connections to TLSv1.2. That proved that my installation 
is capable to use TLSv1.2.

Since this exists as of PHP 5.5 I guess it will not change soon. Is 
there a chance to make Horde/Socket/Client.php capable of recognizing 
the PHP version or just trying newer protocols first?

Kind regards,
John

More information about the imp mailing list