View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001430||Infrastructure||tools||public||2017-12-07 11:06||2017-12-09 09:00|
|Summary||0001430: e-mail verification fails on TLS1.2 only mx severs.|
|Description||When you add an new email address to your profile, the verification will fail on secure mail server.|
Because the outgoing cacert mail server can't handle TLS1.2 only servers.
|Steps To Reproduce||1. add an new email address to your profile|
2. the verification process fails.
|Additional Information||Here the log of an example mx server:|
Dec 7 11:56:41 system postfix/smtpd: connect from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:43 system postfix/smtpd: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1
Dec 7 11:56:43 system postfix/smtpd: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 7 11:56:44 system postfix/smtpd: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:44 system postfix/smtpd: disconnect from tverify.cacert.org[2001:7b8:3:9c::247]
|Tags||No tags attached.|
||tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb|
The support of TLSv1.1 is mandatory according to HIPAA guidance.
(Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver).
Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ...
There are two steps in verifying a new e-mail address supplied by a user.
The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php).
The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server.
In this particular case, the second step is never reached because the first step fails.
I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue.
This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent.
By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-(
The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses.
|2017-12-07 11:06||HansMaulwurf||New Issue|
|2017-12-07 11:06||HansMaulwurf||Assigned To||=> jandd|
|2017-12-07 12:13||jandd||Note Added: 0005564|
|2017-12-07 12:14||jandd||Assigned To||jandd => wytze|
|2017-12-07 12:31||dastrath||Note Added: 0005565|
|2017-12-09 08:56||wytze||Note Added: 0005566|
|2017-12-09 09:00||wytze||Note Added: 0005567|