Re: [SM-DEVEL] CA validation

[Emmanuel D. <ma...@ne...>]

On Sun, Jan 19, 2014 at 08:17:25PM -0800, Paul Lesniewski wrote:
> > Squirrelmail has TLS support, but it lacks the ability to enforce server
> > certificate validation. This leaves no defense against MiM attacks using
> > a self-signed certificate.
(...)
> Indeed. If you care to send a diff, I'd be happy to commit it.

Here is it:
http://ftp.espci.fr/shadow/manu/sq-stream.patch

I tested it with this configuration:
        $smtpServerAddress='smtp.example.net';
	$smtpPort = 465;
        $use_smtp_tls = true;
        $smtpOptions['ssl']['verify_peer'] = true;
        $smtpOptions['ssl']['verify_depth'] = 3;
        $smtpOptions['ssl']['cafile'] = '/etc/openssl/certs/ca.crt';

Using the wrong CA in $smtpOptions['ssl']['cafile'] cause the connexion
to abort, which suggests the thing works. Sendmail logs the TLS cipher
used as being ECDHE-RSA-AES256-GCM-SHA384, which is the best OpenSSL
can do.

There is just one small problem, with default timeout: having a
null timeout cause CA validation to always fail. In that patch, 
I change a null tuimeout to abitrary value 30, but perhaps that
should be configurable.

While I am there, I made te same work on imapproxy. That was 
discussed and submitted on the relevant mailig list months ago, but it 
was not committed so far. Here is the latest patch, in case someone can
check it in:
http://ftp.espci.fr/shadow/manu/imapproxy4.patch


-- 
Emmanuel Dreyfus
ma...@ne...