Correct.
No, because that would require major changes within the 3rd-party 
Net_Socket and Net_Sieve libraries which are both unmaintained.

Ah yes, it seems I did. I'm using the latest release versions of Horde 
and Ingo, which at this time seem to be Horde 5.2.8 and Ingo 3.2.5. 
This ticket may need to be changed to reflect that.

I assume the git version is working towards a new major release of 
Ingo, say 3.3 or 4.0. Maybe this change can be added to a future Ingo 
3.2.6 minor release? Should I submit a separate bug report or 
enhancement request?

Thanks so much for the great software and your help troubleshooting!

You have reported this against the Git master version of Ingo that 
indeed does use \Socket\Client instead of Net_Sieve.

Sorry, but I need to open this ticket again. I was not testing 
correctly, and it turns out the problem was still happening.

After more research and adding a little debug in 
Horde/Socket/Client.php, I discovered that my problem is that 
startTls() never gets called when making a sieve connection in Ingo. I 
then discovered that, of course, Ingo is actually using Net_Sieve to 
connect and not Horde_Socket_Client. I then started passing the same 
verify_peer and verify_peer_name TLS options, and now TLS works with 
Ingo. Here is a clip from my lib/Transport/Timsieved.php starting at 
line 60:

<SNIP>
     protected function _connect()
     {
         if (!empty($this->_sieve)) {
             return;
         }

         $options = array(
             'ssl' => array(
                 'verify_peer' => false,
                 'verify_peer_name' => false
             )
         );

         $auth = empty($this->_params['admin'])
             ? $this->_params['username']
             : $this->_params['admin'];

         $this->_sieve = new Net_Sieve(
             $auth,
             $this->_params['password'],
             $this->_params['hostspec'],
             $this->_params['port'],
             $this->_params['logintype'],
             $this->_params['euser'],
             $this->_params['debug'],
             false,
             $this->_params['usetls'],
             $options,
             array($this, 'debug')
         );
</SNIP>

This was quick and dirty. Maybe you would prefer to pass this kind of 
thing through the constructor? Either way, I think this or something 
similar should be added for the next release. Thanks!

The patch worked for me! I'll assume it will be a part of the next 
major release, whenever that will be. This ticket can be closed now. 
Thanks!

You may need this patch: 
https://github.com/horde/horde/commit/3a9a8c7d10cdc78f735fbf865d74f5f7ae1c6c15

Interesting. I see that verification is indeed being turned off in my 
Socket/Client.php. Regardless, my Ingo/Sieve works with 'usetls' => 
false, but not with either 'usetls' => 'tls', or  'usetls' => true. 
Here's what I get in the horde.log file:

Dec 29 10:14:55 hostname HORDE: [ingo] PHP ERROR: 
stream_socket_enable_crypto(): SSL operation failed with code 1. 
OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate 
verify failed [pid 11811 on line 1215 of 
"/usr/local/lib/php/Net/Sieve.php"]


Is it trying to use SSL3? I do not support SSL3 on my Cyrus server. Only TLS.

We already disable peer verification to keep backward compatibility 
across PHP versions. See 
https://github.com/horde/horde/blob/master/framework/Socket_Client/lib/Horde/Socket/Client.php#L97

Possibly related to changes made in 5.6:
http://php.net/manual/en/migration56.openssl.php

I need a way to tell Ingo and the other apps that I prefer that they 
not validate TLS certificates. The old Horde 3.3 apps used to allow a 
/novalidate-cert syntax. Something similar would be ideal.