Re: [SM-DEVEL] CA validation

[Paul L. <pa...@sq...>]

On Mon, Jan 20, 2014 at 1:16 AM, Emmanuel Dreyfus <ma...@ne...> wrote:
> On Sun, Jan 19, 2014 at 08:17:25PM -0800, Paul Lesniewski wrote:
>> > Squirrelmail has TLS support, but it lacks the ability to enforce server
>> > certificate validation. This leaves no defense against MiM attacks using
>> > a self-signed certificate.
> (...)
>> Indeed. If you care to send a diff, I'd be happy to commit it.
>
> Here is it:
> http://ftp.espci.fr/shadow/manu/sq-stream.patch
>
> I tested it with this configuration:
>         $smtpServerAddress='smtp.example.net';
>         $smtpPort = 465;
>         $use_smtp_tls = true;
>         $smtpOptions['ssl']['verify_peer'] = true;
>         $smtpOptions['ssl']['verify_depth'] = 3;
>         $smtpOptions['ssl']['cafile'] = '/etc/openssl/certs/ca.crt';
>
> Using the wrong CA in $smtpOptions['ssl']['cafile'] cause the connexion
> to abort, which suggests the thing works. Sendmail logs the TLS cipher
> used as being ECDHE-RSA-AES256-GCM-SHA384, which is the best OpenSSL
> can do.

http://sourceforge.net/p/squirrelmail/code/14427
http://sourceforge.net/p/squirrelmail/code/14429

I also added same support on the IMAP side.

Thanks again,

-- 
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php