[imp] IMAP and SMTP with TLSv1.2

Jan Schneider jan at horde.org
Fri Dec 11 17:12:14 UTC 2015 

Zitat von John Kramer <john.kramer at neys.org>:

> On 11.12.2015 09:37, Jan Schneider wrote:
>>
>> Zitat von John Kramer <john.kramer at neys.org>:
>>
>>> On 09.12.15 18:19, Jan Schneider wrote:
>>>>
>>>> Zitat von John Kramer <john.kramer at neys.org>:
>>>>
>>>>> Hello list,
>>>>>
>>>>> I use Horde Webmail 5.2.10. At the moment I can connect to IMAP via
>>>>> port 143 with tls and SMTP via port 587 with tls. This is part of the
>>>>> backends.local.php:
>>>>> [snip]
>>>>>   'protocol' => 'imap',
>>>>>   'port' => 143,
>>>>>   'secure' => 'tls',
>>>>>   'smtp' => array(
>>>>>       'auth' => true,
>>>>>       'port' => 587,
>>>>>   ),
>>>>> [/snip]
>>>>>
>>>>> How can I upgrade the transport security from TLSv1.0 to TLSv1.2?
>>>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>>>> connections. PHP 5.6 and OpenSSL 1.0.1 should be capable of TLSv1.1+.
>>>>> Are there any ideas?
>>>>>
>>>>> I use the following software:
>>>>> PHP 5.6.14
>>>>> OpenSSL 1.0.1p
>>>>> Horde Webmail 5.2.10
>>>>> Imp 6.2.10
>>>>> Horde_Imap_Client 2.29.3
>>>>> Horde_Mail 2.6.2_1
>>>>> Horde_Smtp 1.9.1
>>>>>
>>>>> Thanks in advance!
>>>>>
>>>>> John
>>>>> --
>>>>> imp mailing list
>>>>> Frequently Asked Questions: http://wiki.horde.org/FAQ
>>>>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>>>
>>>> You need to enable 1.2 on the IMAP and SMTP server. PHP will use it
>>>> automatically.
>>>>
>>>
>>> Hello Jan,
>>>
>>> thanks for your reply. I am sorry. I guess, my statement was a bit
>>> cloudy:
>>>
>>> TLSv1.2 is working fine with other servers (smtp) and every client
>>> (submission and imap) I have seen so far in the logs e.g. thunderbird,
>>> but:
>>>
>>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>>> connections.
>>>
>>> Horde is always trying TLSv1.0, nothing else and I do not have a clue
>>> where the problem could be. PHP or OpenSSL or the horde/imp libraries
>>> do not want to play with it. I am almost sure it has nothing to do
>>> with openssl, because I think PHP, cyrus-imap and postfix are linked
>>> to the same openssl libraries.
>>>
>>> Any ideas?
>>
>> All Horde libraries that work on sockets use \Horde\Socket\Client behind
>> the scenes. And this in return uses PHP's stream_socket_enable_crypto()
>> with the STREAM_CRYPTO_METHOD_TLS_CLIENT flag. That should allow any TLS
>> version, and automatically picking the highest available version.
>> You may be hitting https://bugs.php.net/bug.php?id=65329
>>
>
> Hello Jan,
>
> thanks for the link to the bug report. I didn't found it on my research.
>
> STREAM_CRYPTO_METHOD_TLS_CLIENT is the source of the problem with  
> PHP 5.6. As https://wiki.php.net/rfc/improved-tls-defaults states  
> under "Stream Wrapper Creep":
>> Beyond the “creep” of new stream wrappers there also exists a  
>> consistency problem. Do all users understand that the ssl wrapper  
>> technically can negotiate any of the supported protocols? Do they  
>> know that in contrast the tls wrapper will only negotiate TLSv1 and  
>> not the newer TLS iterations?
> [SNIP]
> [SNIP]
>> Existing Constant Re-Valuing
>>
>> The existing constants are internally re-valued as shown below to  
>> allow their use as bitwise flags. Because the existing code  
>> delineates between clients and servers the least significant bit is  
>> used to differentiate between the two stream types.
> [SNIP]
>> STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) |  
>> 1), /* Any TLS protocol */
> [SNIP]
>
> It seems there is a bug/feature?  
> http://grokbase.com/t/php/php-bugs/1541c7f5jy/php-bug-bug-69345-new-tls-wrapper-disables-tls-1-1
>
> Hard coding STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT or  
> STREAM_CRYPTO_METHOD_SSLv23_CLIENT in Horde/Socket/Client.php  
> upgrades the imap/smtp connections to TLSv1.2. That proved that my  
> installation is capable to use TLSv1.2.
>
> Since this exists as of PHP 5.5 I guess it will not change soon. Is  
> there a chance to make Horde/Socket/Client.php capable of  
> recognizing the PHP version or just trying newer protocols first?

Yes, I guess that's the only viable option. Please create a ticket for that.

-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the imp mailing list