From e9ecfc9f87401aa104998ce3b66a798835ff49cb Mon Sep 17 00:00:00 2001
From: m_horde <m_horde@secure.mailbox.org>
Date: Mon, 1 Dec 2014 00:36:23 +0100
Subject: [PATCH] Implementation of peer verification in TLS connections
---
.../Socket_Client/lib/Horde/Socket/Client.php | 32 +++++++++++++++-------
horde/config/conf.xml | 10 +++++++
2 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/framework/Socket_Client/lib/Horde/Socket/Client.php b/framework/Socket_Client/lib/Horde/Socket/Client.php
index 91a666a..e232f41 100644
--- a/framework/Socket_Client/lib/Horde/Socket/Client.php
+++ b/framework/Socket_Client/lib/Horde/Socket/Client.php
@@ -174,22 +174,34 @@ class Client
break;
}
+ $stream_context_array = array(
+ 'ssl' => array(
+ 'verify_peer' => false,
+ 'verify_peer_name' => false,
+ 'ciphers' => 'ALL',
+ 'verify_depth' => 10,
+ )
+ );
+ if (!empty($GLOBALS['conf']['openssl']['cafile']) and $GLOBALS['conf']['openssl']['verify']) {
+ $stream_context_array['ssl']['verify_peer'] = true;
+ $stream_context_array['ssl']['verify_peer_name'] = true;
+ $stream_context_array['ssl']['cafile'] = $GLOBALS['conf']['openssl']['cafile'];
+ }
+ if (!empty($GLOBALS['conf']['openssl']['ciphers'])) {
+ $stream_context_array['ssl']['ciphers'] = $GLOBALS['conf']['openssl']['ciphers'];
+ }
+ if (!empty($GLOBALS['conf']['openssl']['depth'])) {
+ $stream_context_array['ssl']['verify_depth'] = $GLOBALS['conf']['openssl']['depth'];
+ }
+
$this->_stream = @stream_socket_client(
$conn . $host . ':' . $port,
$error_number,
$error_string,
$timeout,
STREAM_CLIENT_CONNECT,
- /* @todo: As of PHP 5.6, TLS connections require valid certs.
- * However, this is BC-breaking to this library. For now, keep
- * pre-5.6 behavior. */
- stream_context_create(array(
- 'ssl' => array(
- 'verify_peer' => false,
- 'verify_peer_name' => false
- )
- ))
- );
+ stream_context_create($stream_context_array)
+ );
if ($this->_stream === false) {
/* From stream_socket_client() page: a function return of false,
diff --git a/horde/config/conf.xml b/horde/config/conf.xml
index 41a4cec..d9d1bfe 100644
--- a/horde/config/conf.xml
+++ b/horde/config/conf.xml
@@ -1555,6 +1555,16 @@
certificates bundle, e.g. /etc/ssl/certs. See
http://www.php.net/manual/en/openssl.cert.verification.php for
details."/>
+ <configboolean name="verify" required="false" desc="Should we set the ssl
+ context to verify the peer certificate with the given certificate bundle.
+ This option has no effect when cafile is not set.
+ See https://php.net/manual/en/context.ssl.php for details."/>
+ <configstring name="depth" required="false" desc="The depth for
+ certificate verification. The default is 10."/>
+ <configstring name="ciphers" required="false" desc="Limit the used cipers
+ for secure connections. The default is to enable all ciphers except those
+ without encryption. See
+ https://www.openssl.org/docs/apps/ciphers.html for details."/>
<configstring name="path" required="false" desc="The location of the OpenSSL
binary on your system, e.g. /usr/bin/openssl. This program is REQUIRED to
import personal S/MIME certificate information, as there is no native PHP
--
1.9.1