View Issue Details

IDProjectCategoryView StatusLast Update
0001430Infrastructuretoolspublic2018-06-20 14:58
ReporterHansMaulwurfAssigned Towytze 
PrioritynormalSeverityblockReproducibilityalways
Status needs review & testingResolutionopen 
Summary0001430: e-mail verification fails on TLS1.2 only mx severs.
DescriptionWhen you add an new email address to your profile, the verification will fail on secure mail server.
Because the outgoing cacert mail server can't handle TLS1.2 only servers.
Steps To Reproduce1. add an new email address to your profile
2. the verification process fails.
Additional InformationHere the log of an example mx server:
Dec 7 11:56:41 system postfix/smtpd[14310]: connect from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:43 system postfix/smtpd[14310]: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1
Dec 7 11:56:43 system postfix/smtpd[14310]: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 7 11:56:44 system postfix/smtpd[14310]: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:44 system postfix/smtpd[14310]: disconnect from tverify.cacert.org[2001:7b8:3:9c::247]
TagsNo tags attached.

Activities

jandd

2017-12-07 12:13

administrator   ~0005564

tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb

dastrath

2017-12-07 12:31

administrator   ~0005565

The support of TLSv1.1 is mandatory according to HIPAA guidance.

(Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver).

Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ...

wytze

2017-12-09 08:56

developer   ~0005566

There are two steps in verifying a new e-mail address supplied by a user.
The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php).
The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server.
In this particular case, the second step is never reached because the first step fails.
I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue.
This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent.

wytze

2017-12-09 09:00

developer   ~0005567

By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-(
The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses.

wytze

2018-06-20 14:51

developer   ~0005603

With PHP 5.6.33 present on the current CAcert servers, this issue can be fixed with the following patch:

diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");

This has been verified with a test on test.cacert.org, adding a new mail address for a mail server which was configured to only support TLSv1.2, Without the code change shown above, the connection would fail; after adding the code change, the connection succeeded and the e-mail address could be added.

wytze

2018-06-20 14:52

developer   ~0005604

diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");

wytze

2018-06-20 14:58

developer   ~0005605

Please test the fix installed on test.cacert.org against another mail server which is configured for TLSv1.2 only
and report the result here.
Please review the code change, which is based on information in https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php .

Issue History

Date Modified Username Field Change
2017-12-07 11:06 HansMaulwurf New Issue
2017-12-07 11:06 HansMaulwurf Assigned To => jandd
2017-12-07 12:13 jandd Note Added: 0005564
2017-12-07 12:14 jandd Assigned To jandd => wytze
2017-12-07 12:31 dastrath Note Added: 0005565
2017-12-09 08:56 wytze Note Added: 0005566
2017-12-09 09:00 wytze Note Added: 0005567
2018-06-20 14:51 wytze Note Added: 0005603
2018-06-20 14:52 wytze Status new => fix available
2018-06-20 14:52 wytze Note Added: 0005604
2018-06-20 14:58 wytze Status fix available => needs review & testing
2018-06-20 14:58 wytze Note Added: 0005605