Re: [SM-DEVEL] CA validation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello

I got no reply to the message below. Is there really no interest in
certificate validation? Encrypting communication is of little interest
if you are not sure of who you are talking with...

Emmanuel Dreyfus <ma...@ne...> wrote:

> Squirrelmail has TLS support, but it lacks the ability to enforce server
> certificate validation. This leaves no defense against MiM attacks using
> a self-signed certificate.
> 
> Here is how it could be fixed, for SMTP side. Connexion is established
> in class/deliver/Deliver_SMTP.class.php:
> 
> $stream = 
>     @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
> 
> The stream_socket_client() function is an alternative to fsockopen()
> that appeared in PHP 5. It allows the caller to specify a context with
> various options:
> 
> if (function_exists('stream_socket_client') {
>   $remote = sprintf("ssl://%s:%d", $host, port);
>   $opts = array(
>     'ssl' => array(
>       'verify_peer' => TRUE,
>       'verify_depth' => 5,
>       'cafile' => '/path/to/ca_file',
>     ),
>   );
>   $ctx = stream_context_create($opts);
>   $timeout = ini_get("default_socket_timeout");
>   $stream = 
>     @stream_socket_client($remote, $errorNumber, $errorString,  
>      $timeout, STREAM_CLIENT_CONNECT, $ctx);
> } else {
>   $stream = 
>     @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
> }
> 
> Of course '/path/to/ca_file' needs to be configurable, I can work on
> this if the idea is accepted.
> 
> Also note that I changed tls:// to ssl://. Inside the bowels of PHP,
> tls:// causes OpenSSL's TLSv1_client_method() to be used. As its name
> suggests, this metho can only negociate TLSv1.
> 
> ssl:// causes SSLv23_client_method() to be used. As its named does not
> suggests, it is able to negociate the highest protocol version
> avaialble, up to TLSv1.2 if the installed OpenSSL supports it. This
> causes much stronger ciphers to be used.
> 
> For now Squirrelmail's usage of tls:// can be worked around by
> specifying a ssl:// prefixed $smtpServerAddress with $use_smtp_tls =
> false, but switching the code to ssl:// would immediatly improve
> everyone setup.
> 
> I did not look at the IMAP side since I use imapproxy, and therefore
> Squirrelmail is not incharge of IMAP TLS, but the idea is the same.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
ma...@ne...