Re: [SM-DEVEL] CA validation

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat, Nov 23, 2013 at 9:37 PM, Emmanuel Dreyfus <ma...@ne...> wrote:
> Squirrelmail has TLS support, but it lacks the ability to enforce server
> certificate validation. This leaves no defense against MiM attacks using
> a self-signed certificate.
>
> Here is how it could be fixed, for SMTP side. Connexion is established
> in class/deliver/Deliver_SMTP.class.php:
>
> $stream =
>     @fsockopen('tls://' . $host, $port, $errorNumber, $errorString);
>
> The stream_socket_client() function is an alternative to fsockopen()
> that appeared in PHP 5. It allows the caller to specify a context with
> various options:
>
> if (function_exists('stream_socket_client') {
>   $remote = sprintf("ssl://%s:%d", $host, port);
>   $opts = array(
>     'ssl' => array(
>       'verify_peer' => TRUE,
>       'verify_depth' => 5,
>       'cafile' => '/path/to/ca_file',
>     ),
>   );
>   $ctx = stream_context_create($opts);
>   $timeout = ini_get("default_socket_timeout");
>   $stream =
>     @stream_socket_client($remote, $errorNumber, $errorString,
>      $timeout, STREAM_CLIENT_CONNECT, $ctx);
> } else {
>   $stream =
>     @fsockopen('ssl://' . $host, $port, $errorNumber, $errorString);
> }
>
> Of course '/path/to/ca_file' needs to be configurable, I can work on
> this if the idea is accepted.
>
> Also note that I changed tls:// to ssl://. Inside the bowels of PHP,
> tls:// causes OpenSSL's TLSv1_client_method() to be used. As its name
> suggests, this metho can only negociate TLSv1.
>
> ssl:// causes SSLv23_client_method() to be used. As its named does not
> suggests, it is able to negociate the highest protocol version
> avaialble, up to TLSv1.2 if the installed OpenSSL supports it. This
> causes much stronger ciphers to be used.
>
> For now Squirrelmail's usage of tls:// can be worked around by
> specifying a ssl:// prefixed $smtpServerAddress with $use_smtp_tls =
> false, but switching the code to ssl:// would immediatly improve
> everyone setup.

Indeed. If you care to send a diff, I'd be happy to commit it.

> I did not look at the IMAP side since I use imapproxy, and therefore
> Squirrelmail is not incharge of IMAP TLS, but the idea is the same.

If you have the interest in addressing this, we'd appreciate it, but
if not, that's fine and I would be happy to take care of it.

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php