From e9ecfc9f87401aa104998ce3b66a798835ff49cb Mon Sep 17 00:00:00 2001 From: m_horde <m_horde@secure.mailbox.org> Date: Mon, 1 Dec 2014 00:36:23 +0100 Subject: [PATCH] Implementation of peer verification in TLS connections --- .../Socket_Client/lib/Horde/Socket/Client.php | 32 +++++++++++++++------- horde/config/conf.xml | 10 +++++++ 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/framework/Socket_Client/lib/Horde/Socket/Client.php b/framework/Socket_Client/lib/Horde/Socket/Client.php index 91a666a..e232f41 100644 --- a/framework/Socket_Client/lib/Horde/Socket/Client.php +++ b/framework/Socket_Client/lib/Horde/Socket/Client.php @@ -174,22 +174,34 @@ class Client break; } + $stream_context_array = array( + 'ssl' => array( + 'verify_peer' => false, + 'verify_peer_name' => false, + 'ciphers' => 'ALL', + 'verify_depth' => 10, + ) + ); + if (!empty($GLOBALS['conf']['openssl']['cafile']) and $GLOBALS['conf']['openssl']['verify']) { + $stream_context_array['ssl']['verify_peer'] = true; + $stream_context_array['ssl']['verify_peer_name'] = true; + $stream_context_array['ssl']['cafile'] = $GLOBALS['conf']['openssl']['cafile']; + } + if (!empty($GLOBALS['conf']['openssl']['ciphers'])) { + $stream_context_array['ssl']['ciphers'] = $GLOBALS['conf']['openssl']['ciphers']; + } + if (!empty($GLOBALS['conf']['openssl']['depth'])) { + $stream_context_array['ssl']['verify_depth'] = $GLOBALS['conf']['openssl']['depth']; + } + $this->_stream = @stream_socket_client( $conn . $host . ':' . $port, $error_number, $error_string, $timeout, STREAM_CLIENT_CONNECT, - /* @todo: As of PHP 5.6, TLS connections require valid certs. - * However, this is BC-breaking to this library. For now, keep - * pre-5.6 behavior. */ - stream_context_create(array( - 'ssl' => array( - 'verify_peer' => false, - 'verify_peer_name' => false - ) - )) - ); + stream_context_create($stream_context_array) + ); if ($this->_stream === false) { /* From stream_socket_client() page: a function return of false, diff --git a/horde/config/conf.xml b/horde/config/conf.xml index 41a4cec..d9d1bfe 100644 --- a/horde/config/conf.xml +++ b/horde/config/conf.xml @@ -1555,6 +1555,16 @@ certificates bundle, e.g. /etc/ssl/certs. See http://www.php.net/manual/en/openssl.cert.verification.php for details."/> + <configboolean name="verify" required="false" desc="Should we set the ssl + context to verify the peer certificate with the given certificate bundle. + This option has no effect when cafile is not set. + See https://php.net/manual/en/context.ssl.php for details."/> + <configstring name="depth" required="false" desc="The depth for + certificate verification. The default is 10."/> + <configstring name="ciphers" required="false" desc="Limit the used cipers + for secure connections. The default is to enable all ciphers except those + without encryption. See + https://www.openssl.org/docs/apps/ciphers.html for details."/> <configstring name="path" required="false" desc="The location of the OpenSSL binary on your system, e.g. /usr/bin/openssl. This program is REQUIRED to import personal S/MIME certificate information, as there is no native PHP -- 1.9.1