View Issue Details

IDProjectCategoryView StatusLast Update
0001430Infrastructuretoolspublic2017-12-09 09:00
ReporterHansMaulwurfAssigned Towytze 
PrioritynormalSeverityblockReproducibilityalways
Status newResolutionopen 
Summary0001430: e-mail verification fails on TLS1.2 only mx severs.
DescriptionWhen you add an new email address to your profile, the verification will fail on secure mail server.
Because the outgoing cacert mail server can't handle TLS1.2 only servers.
Steps To Reproduce1. add an new email address to your profile
2. the verification process fails.
Additional InformationHere the log of an example mx server:
Dec 7 11:56:41 system postfix/smtpd[14310]: connect from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:43 system postfix/smtpd[14310]: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1
Dec 7 11:56:43 system postfix/smtpd[14310]: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 7 11:56:44 system postfix/smtpd[14310]: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:44 system postfix/smtpd[14310]: disconnect from tverify.cacert.org[2001:7b8:3:9c::247]
TagsNo tags attached.

Activities

jandd

2017-12-07 12:13

administrator   ~0005564

tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb

dastrath

2017-12-07 12:31

administrator   ~0005565

The support of TLSv1.1 is mandatory according to HIPAA guidance.

(Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver).

Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ...

wytze

2017-12-09 08:56

developer   ~0005566

There are two steps in verifying a new e-mail address supplied by a user.
The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php).
The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server.
In this particular case, the second step is never reached because the first step fails.
I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue.
This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent.

wytze

2017-12-09 09:00

developer   ~0005567

By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-(
The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses.

Issue History

Date Modified Username Field Change
2017-12-07 11:06 HansMaulwurf New Issue
2017-12-07 11:06 HansMaulwurf Assigned To => jandd
2017-12-07 12:13 jandd Note Added: 0005564
2017-12-07 12:14 jandd Assigned To jandd => wytze
2017-12-07 12:31 dastrath Note Added: 0005565
2017-12-09 08:56 wytze Note Added: 0005566
2017-12-09 09:00 wytze Note Added: 0005567