From e9ecfc9f87401aa104998ce3b66a798835ff49cb Mon Sep 17 00:00:00 2001
From: m_horde <m_horde@secure.mailbox.org>
Date: Mon, 1 Dec 2014 00:36:23 +0100
Subject: [PATCH] Implementation of peer verification in TLS connections

---
 .../Socket_Client/lib/Horde/Socket/Client.php      | 32 +++++++++++++++-------
 horde/config/conf.xml                              | 10 +++++++
 2 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/framework/Socket_Client/lib/Horde/Socket/Client.php b/framework/Socket_Client/lib/Horde/Socket/Client.php
index 91a666a..e232f41 100644
--- a/framework/Socket_Client/lib/Horde/Socket/Client.php
+++ b/framework/Socket_Client/lib/Horde/Socket/Client.php
@@ -174,22 +174,34 @@ class Client
             break;
         }
 
+        $stream_context_array = array(
+            'ssl' => array(
+                'verify_peer' => false,
+                'verify_peer_name' => false,
+                'ciphers' => 'ALL',
+                'verify_depth' => 10,
+                )
+            );
+        if (!empty($GLOBALS['conf']['openssl']['cafile']) and $GLOBALS['conf']['openssl']['verify']) {
+            $stream_context_array['ssl']['verify_peer'] = true;
+            $stream_context_array['ssl']['verify_peer_name'] = true;
+            $stream_context_array['ssl']['cafile'] = $GLOBALS['conf']['openssl']['cafile'];
+        }
+        if (!empty($GLOBALS['conf']['openssl']['ciphers'])) {
+            $stream_context_array['ssl']['ciphers'] = $GLOBALS['conf']['openssl']['ciphers'];
+        }
+        if (!empty($GLOBALS['conf']['openssl']['depth'])) {
+            $stream_context_array['ssl']['verify_depth'] = $GLOBALS['conf']['openssl']['depth'];
+        }
+
         $this->_stream = @stream_socket_client(
             $conn . $host . ':' . $port,
             $error_number,
             $error_string,
             $timeout,
             STREAM_CLIENT_CONNECT,
-            /* @todo: As of PHP 5.6, TLS connections require valid certs.
-             * However, this is BC-breaking to this library. For now, keep
-             * pre-5.6 behavior. */
-            stream_context_create(array(
-                'ssl' => array(
-                    'verify_peer' => false,
-                    'verify_peer_name' => false
-                )
-            ))
-        );
+            stream_context_create($stream_context_array)
+            );
 
         if ($this->_stream === false) {
             /* From stream_socket_client() page: a function return of false,
diff --git a/horde/config/conf.xml b/horde/config/conf.xml
index 41a4cec..d9d1bfe 100644
--- a/horde/config/conf.xml
+++ b/horde/config/conf.xml
@@ -1555,6 +1555,16 @@
    certificates bundle, e.g. /etc/ssl/certs. See
    http://www.php.net/manual/en/openssl.cert.verification.php for
    details."/>
+   <configboolean name="verify" required="false" desc="Should we set the ssl
+   context to verify the peer certificate with the given certificate bundle.
+   This option has no effect when cafile is not set.
+   See https://php.net/manual/en/context.ssl.php for details."/>
+   <configstring name="depth" required="false" desc="The depth for
+   certificate verification. The default is 10."/>
+   <configstring name="ciphers" required="false" desc="Limit the used cipers
+   for secure connections. The default is to enable all ciphers except those
+   without encryption. See
+   https://www.openssl.org/docs/apps/ciphers.html for details."/>
    <configstring name="path" required="false" desc="The location of the OpenSSL
    binary on your system, e.g. /usr/bin/openssl. This program is REQUIRED to
    import personal S/MIME certificate information, as there is no native PHP
-- 
1.9.1