[imp] IMAP and SMTP with TLSv1.2

John Kramer john.kramer at neys.org
Sat Dec 12 04:33:59 UTC 2015 

On 11.12.2015 18:12, Jan Schneider wrote:
>
> Zitat von John Kramer <john.kramer at neys.org>:
>
>> On 11.12.2015 09:37, Jan Schneider wrote:
>>>
>>> Zitat von John Kramer <john.kramer at neys.org>:
>>>
>>>> On 09.12.15 18:19, Jan Schneider wrote:
>>>>>
>>>>> Zitat von John Kramer <john.kramer at neys.org>:
>>>>>
>>>>>> Hello list,
>>>>>>
>>>>>> I use Horde Webmail 5.2.10. At the moment I can connect to IMAP via
>>>>>> port 143 with tls and SMTP via port 587 with tls. This is part of the
>>>>>> backends.local.php:
>>>>>> [snip]
>>>>>>   'protocol' => 'imap',
>>>>>>   'port' => 143,
>>>>>>   'secure' => 'tls',
>>>>>>   'smtp' => array(
>>>>>>       'auth' => true,
>>>>>>       'port' => 587,
>>>>>>   ),
>>>>>> [/snip]
>>>>>>
>>>>>> How can I upgrade the transport security from TLSv1.0 to TLSv1.2?
>>>>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>>>>> connections. PHP 5.6 and OpenSSL 1.0.1 should be capable of TLSv1.1+.
>>>>>> Are there any ideas?
>>>>>>
>>>>>> I use the following software:
>>>>>> PHP 5.6.14
>>>>>> OpenSSL 1.0.1p
>>>>>> Horde Webmail 5.2.10
>>>>>> Imp 6.2.10
>>>>>> Horde_Imap_Client 2.29.3
>>>>>> Horde_Mail 2.6.2_1
>>>>>> Horde_Smtp 1.9.1
>>>>>>
>>>>>> Thanks in advance!
>>>>>>
>>>>>> John
>>>>>> --
>>>>>> imp mailing list
>>>>>> Frequently Asked Questions: http://wiki.horde.org/FAQ
>>>>>> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
>>>>>
>>>>> You need to enable 1.2 on the IMAP and SMTP server. PHP will use it
>>>>> automatically.
>>>>>
>>>>
>>>> Hello Jan,
>>>>
>>>> thanks for your reply. I am sorry. I guess, my statement was a bit
>>>> cloudy:
>>>>
>>>> TLSv1.2 is working fine with other servers (smtp) and every client
>>>> (submission and imap) I have seen so far in the logs e.g. thunderbird,
>>>> but:
>>>>
>>>>> Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
>>>>> connections.
>>>>
>>>> Horde is always trying TLSv1.0, nothing else and I do not have a clue
>>>> where the problem could be. PHP or OpenSSL or the horde/imp libraries
>>>> do not want to play with it. I am almost sure it has nothing to do
>>>> with openssl, because I think PHP, cyrus-imap and postfix are linked
>>>> to the same openssl libraries.
>>>>
>>>> Any ideas?
>>>
>>> All Horde libraries that work on sockets use \Horde\Socket\Client behind
>>> the scenes. And this in return uses PHP's stream_socket_enable_crypto()
>>> with the STREAM_CRYPTO_METHOD_TLS_CLIENT flag. That should allow any TLS
>>> version, and automatically picking the highest available version.
>>> You may be hitting https://bugs.php.net/bug.php?id=65329
>>>
>>
>> Hello Jan,
>>
>> thanks for the link to the bug report. I didn't found it on my research.
>>
>> STREAM_CRYPTO_METHOD_TLS_CLIENT is the source of the problem with PHP
>> 5.6. As https://wiki.php.net/rfc/improved-tls-defaults states under
>> "Stream Wrapper Creep":
>>> Beyond the “creep” of new stream wrappers there also exists a
>>> consistency problem. Do all users understand that the ssl wrapper
>>> technically can negotiate any of the supported protocols? Do they
>>> know that in contrast the tls wrapper will only negotiate TLSv1 and
>>> not the newer TLS iterations?
>> [SNIP]
>> [SNIP]
>>> Existing Constant Re-Valuing
>>>
>>> The existing constants are internally re-valued as shown below to
>>> allow their use as bitwise flags. Because the existing code
>>> delineates between clients and servers the least significant bit is
>>> used to differentiate between the two stream types.
>> [SNIP]
>>> STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) |
>>> 1), /* Any TLS protocol */
>> [SNIP]
>>
>> It seems there is a bug/feature?
>> http://grokbase.com/t/php/php-bugs/1541c7f5jy/php-bug-bug-69345-new-tls-wrapper-disables-tls-1-1
>>
>>
>> Hard coding STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT or
>> STREAM_CRYPTO_METHOD_SSLv23_CLIENT in Horde/Socket/Client.php upgrades
>> the imap/smtp connections to TLSv1.2. That proved that my installation
>> is capable to use TLSv1.2.
>>
>> Since this exists as of PHP 5.5 I guess it will not change soon. Is
>> there a chance to make Horde/Socket/Client.php capable of recognizing
>> the PHP version or just trying newer protocols first?
>
> Yes, I guess that's the only viable option. Please create a ticket for
> that.
>

https://bugs.horde.org/ticket/14190

More information about the imp mailing list