Ticket #1484667 (closed Bugs: fixed)
RoundCube thinks TLS is equivalent of SSL
| Reported by: | alankila | Owned by: | thomasb |
|---|---|---|---|
| Priority: | 5 | Milestone: | 0.1-stable |
| Component: | IMAP connection | Version: | 0.1-rc2 |
| Severity: | normal | Keywords: | TLS1 IMAPS 993 |
| Cc: |
Description (last modified by thomasb) (diff)
My mail server, courier-imap-ssl, is only able to talk TLS1 protocol on the imaps port 993. I have confirmed this with "openssl s_client" using the -tls1, -ssl2, -ssl3 options. This is generally acceptable, because Mozilla's Thunderbird also talks TLS1 with the "SSL" option that defaults to using port 993, and seems in fact unable to talk SSL3.
Now you have a configuration example for default_host that dangles the answer in front of my nose, yet when I reach for it I get a "naa naa, won't work" result. The example recommends a string like "ssl://foo.bar:993" to use SSL. However, I can't just specify the connect string like this:
$rcmail_config['default_host'] = 'tls://127.0.0.1:993';
because RoundCube reclassifies the prefix with code like this:
include/main.inc:
$imap_ssl = (isset($a_host['scheme']) && in_array($a_host['scheme'], array('ssl','imaps','tls'))) ? TRUE : FALSE;
which is incorrect. SSL (which stands for SSL2 or SSL3 according to the code in php's openssl socket factory) is not TLS1, and my exact knowledge of the desired protocol should not be converted to a simple "use ssl" boolean.
After tracing through some layers of abstraction, I finally find lib/imap.inc that makes use of it, and I have to make a change here to get RoundCube to work in my setup:
//check for SSL
if ($ICL_SSL){
$host = "tls://".$host;
}
The original says $host = "ssl://".$host.
Would it be bad idea to just pass the configured host-string directly and drop this $ICL_SSL stuff? I would also drop "imaps" prefix, requiring users to type "ssl" instead. There are still opportunities to avoid that kind of legacy stuff, as the first public working version (aka "1.0") is not even released yet.
In truth, I think the SSL3/TLS/whatever settings should be made explicit on the login form, rather than requiring users to type relatively arcane php connect strings. I take it that imap on port 143 with cleartext at beginning and crypto after STARTTLS won't work, so the port 993 pretty much has to be chosen whenever encryption of any kind is used.
This could argued to be a defect in php5, but whether that's fixable without changes to php code I don't know. I'm not very familiar with imap and php's unusual socket routines, but perhaps it'd be possible to reopen a socket using the OpenSSL crypto layer, after issuing STARTTLS command in cleartext first.
