On 11.12.2015 09:37, Jan Schneider wrote:
Zitat von John Kramer <john.kra...@neys.org>:
On 09.12.15 18:19, Jan Schneider wrote:
Zitat von John Kramer <john.kra...@neys.org>:
Hello list,
I use Horde Webmail 5.2.10. At the moment I can connect to IMAP via
port 143 with tls and SMTP via port 587 with tls. This is part of the
backends.local.php:
[snip]
'protocol' => 'imap',
'port' => 143,
'secure' => 'tls',
'smtp' => array(
'auth' => true,
'port' => 587,
),
[/snip]
How can I upgrade the transport security from TLSv1.0 to TLSv1.2?
Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
connections. PHP 5.6 and OpenSSL 1.0.1 should be capable of TLSv1.1+.
Are there any ideas?
I use the following software:
PHP 5.6.14
OpenSSL 1.0.1p
Horde Webmail 5.2.10
Imp 6.2.10
Horde_Imap_Client 2.29.3
Horde_Mail 2.6.2_1
Horde_Smtp 1.9.1
Thanks in advance!
John
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
You need to enable 1.2 on the IMAP and SMTP server. PHP will use it
automatically.
Hello Jan,
thanks for your reply. I am sorry. I guess, my statement was a bit
cloudy:
TLSv1.2 is working fine with other servers (smtp) and every client
(submission and imap) I have seen so far in the logs e.g. thunderbird,
but:
Disabling TLSv1.0 on IMAP or SMTP leads to TLS errors on Horde
connections.
Horde is always trying TLSv1.0, nothing else and I do not have a clue
where the problem could be. PHP or OpenSSL or the horde/imp libraries
do not want to play with it. I am almost sure it has nothing to do
with openssl, because I think PHP, cyrus-imap and postfix are linked
to the same openssl libraries.
Any ideas?
All Horde libraries that work on sockets use \Horde\Socket\Client behind
the scenes. And this in return uses PHP's stream_socket_enable_crypto()
with the STREAM_CRYPTO_METHOD_TLS_CLIENT flag. That should allow any TLS
version, and automatically picking the highest available version.
You may be hitting https://bugs.php.net/bug.php?id=65329
Hello Jan,
thanks for the link to the bug report. I didn't found it on my research.
STREAM_CRYPTO_METHOD_TLS_CLIENT is the source of the problem with PHP
5.6. As https://wiki.php.net/rfc/improved-tls-defaults states under
"Stream Wrapper Creep":
Beyond the “creep” of new stream wrappers there also exists a consistency
problem. Do all users understand that the ssl wrapper technically can negotiate
any of the supported protocols? Do they know that in contrast the tls wrapper
will only negotiate TLSv1 and not the newer TLS iterations?
[SNIP]
[SNIP]
Existing Constant Re-Valuing
The existing constants are internally re-valued as shown below to allow their
use as bitwise flags. Because the existing code delineates between clients and
servers the least significant bit is used to differentiate between the two
stream types.
[SNIP]
> STREAM_CRYPTO_METHOD_TLS_CLIENT = ((1 << 3) | (1 << 4) | (1 << 5) |
1), /* Any TLS protocol */
[SNIP]
It seems there is a bug/feature?
http://grokbase.com/t/php/php-bugs/1541c7f5jy/php-bug-bug-69345-new-tls-wrapper-disables-tls-1-1
Hard coding STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT or
STREAM_CRYPTO_METHOD_SSLv23_CLIENT in Horde/Socket/Client.php upgrades
the imap/smtp connections to TLSv1.2. That proved that my installation
is capable to use TLSv1.2.
Since this exists as of PHP 5.5 I guess it will not change soon. Is
there a chance to make Horde/Socket/Client.php capable of recognizing
the PHP version or just trying newer protocols first?
Kind regards,
John
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
