View Issue Details

IDProjectCategoryView StatusLast Update
0011952Tine 2.0Felamimailpublic2017-04-27 09:17
Reporterandyjh1222Assigned Topschuele 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
PlatformTine 03.3OSubuntu 16.04OS Version
Product VersionEgon Community Edition (2016.03.3) 
Target Version2016.11.7 Egon Business EditionFixed in Version2016.11.7 Egon Business Edition 
Summary0011952: TLS doesn't work with Self-signed
DescriptionImap and SMTP TLS doesn't work with Self-signed servers.

I added the following to Imap.php and Smtp.php and got it to work.

Can you merge into next release with a config option to allow self-signed?

(Felalmimail/Protocol/Imap.php)
(vendor/zendframework/zendframeworks1/library/Zend/Mail/Protocol/Smtp.php)

stream_context_set_option($this->_socket, 'ssl', 'verify_peer', false);
            stream_context_set_option($this->_socket, 'ssl', 'verify_peer_name', false);
            stream_context_set_option($this->_socket, 'ssl', 'allow_self_signed', true);
TagsNo tags attached.
mwticket

Relationships

duplicate of 0011586 resolvedpschuele PHP 5.6 breaks self-signed certificates (in that instance imap) 
related to 0012984 assignedpschuele fix config option IMAP_ALLOW_SELF_SIGNED_TLS_CERT 

Activities

lab-at-nohl

lab-at-nohl

2016-06-17 18:27

developer   ~0018190

Thanks for reporting. This is known behavior for php in version >= 5.6 (see its changelog on php.net [1]). I had this issue in the beginning, too.

Could you please describe a use case where you need a self-signed certificate (cert) without trusting its certificate authority (ca)?

Explanation:

1) Trusted certs can be obtained by startssl or the "let's encrypt" project for free. Including 5 to unlimited subdomains.

2) Even if you stick with your cert you could make your server system trust the ca (which is probably self-signed as well). For details see [2].

3) There MAY BE rare cases where you need to accept one specific cert. But usually not, see [3].

I would propose to close this issue?

Regards
Johannes

[1]: http://php.net/manual/en/migration56.openssl.php

[2]: Beginning with php 5.6 SSL-Certificates are taken and checked from system cert store; this affects self-signed certificates and requests to localhost or directly to the Server-IP. Do NOT use 'localhost'. Make sure your services are still reachable over SSL/TLS and use curl to request the URL in question (curl can connect to IMAP, too) within the same environment as your Tine 2.0 installation is (curl and Tine 2.0 will check certificates against system storage).

[3]: Only if you are not root at your server and you can't change system cert store you may need to patch the sources manually. Otherwise you can always (even if a remote server is using self-signed certs) make your system to accept.
andyjh1222

andyjh1222

2016-06-17 19:02

reporter   ~0018192

I use Virtualmin for a lot of webservers/email servers. I just use the generic virtualmin virtual server certificate generation which is self signed.

But yes i could do 0000002...

You can close. I'll just keep adding those lines to my instances.

thank you!
pschuele

pschuele

2017-04-20 13:34

administrator   ~0019906

we'll add this config option soon because we need it for CI testing.
pschuele

pschuele

2017-04-20 13:35

administrator   ~0019908

we also add infrastructure for adding additional socket context options there.
pschuele

pschuele

2017-04-26 14:12

administrator   ~0019930

to disable the certificate validation, you have to set the imap config like this (config.inc.php):

'imap' => array(
     // [...]
     'verifyPeer' => false
)

Issue History

Date Modified Username Field Change
2016-06-17 16:08 andyjh1222 New Issue
2016-06-17 18:27 lab-at-nohl Note Added: 0018190
2016-06-17 19:02 andyjh1222 Note Added: 0018192
2016-06-17 19:56 lab-at-nohl Relationship added duplicate of 0011586
2017-04-20 13:32 pschuele Assigned To => pschuele
2017-04-20 13:32 pschuele Status new => assigned
2017-04-20 13:34 pschuele Note Added: 0019906
2017-04-20 13:34 pschuele Target Version => 2016.11.7 Egon Business Edition
2017-04-20 13:35 pschuele Note Added: 0019908
2017-04-26 13:34 pschuele Status assigned => resolved
2017-04-26 13:34 pschuele Fixed in Version => 2016.11.7 Egon Business Edition
2017-04-26 13:34 pschuele Resolution open => fixed
2017-04-26 13:37 pschuele Status resolved => gerrit
2017-04-26 14:12 pschuele Note Added: 0019930
2017-04-26 14:12 pschuele Status gerrit => resolved
2017-04-27 09:17 pschuele Issue cloned: 0012984
2017-04-27 09:17 pschuele Relationship added related to 0012984