View Issue Details

IDProjectCategoryView StatusLast Update
0001430Main CAcert Websitepublic2019-02-22 11:41
ReporterHansMaulwurfAssigned ToTed 
PrioritynormalSeverityblockReproducibilityalways
Status solved?Resolutionfixed 
Product Version 
Target VersionFixed in Version 
Summary0001430: e-mail verification fails on TLS1.2 only mx severs.
DescriptionWhen you add an new email address to your profile, the verification will fail on secure mail server.
Because the outgoing cacert mail server can't handle TLS1.2 only servers.
Steps To Reproduce1. add an new email address to your profile
2. the verification process fails.
Additional InformationHere the log of an example mx server:
Dec 7 11:56:41 system postfix/smtpd[14310]: connect from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:43 system postfix/smtpd[14310]: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1
Dec 7 11:56:43 system postfix/smtpd[14310]: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Dec 7 11:56:44 system postfix/smtpd[14310]: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247]
Dec 7 11:56:44 system postfix/smtpd[14310]: disconnect from tverify.cacert.org[2001:7b8:3:9c::247]
TagsNo tags attached.
Reviewed byTed
Test Instructions

Relationships

related to 0001459 fix availableGuKKDevel e-mail verification fails for many addresses since upgrade from PHP 5.5 to PHP 5.6 

Activities

jandd

2017-12-07 12:13

administrator   ~0005564

tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb

dastrath

2017-12-07 12:31

administrator   ~0005565

The support of TLSv1.1 is mandatory according to HIPAA guidance.

(Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver).

Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ...

wytze

2017-12-09 08:56

developer   ~0005566

There are two steps in verifying a new e-mail address supplied by a user.
The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php).
The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server.
In this particular case, the second step is never reached because the first step fails.
I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue.
This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent.

wytze

2017-12-09 09:00

developer   ~0005567

By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-(
The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses.

wytze

2018-06-20 14:51

developer   ~0005603

With PHP 5.6.33 present on the current CAcert servers, this issue can be fixed with the following patch:

diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");

This has been verified with a test on test.cacert.org, adding a new mail address for a mail server which was configured to only support TLSv1.2, Without the code change shown above, the connection would fail; after adding the code change, the connection succeeded and the e-mail address could be added.

wytze

2018-06-20 14:52

developer   ~0005604

diff --git a/includes/general.php b/includes/general.php
index 902623a..d1431bc 100644
--- a/includes/general.php
+++ b/includes/general.php
@@ -768,7 +768,7 @@
                                }

                                $transcript .= "- Establishing encrypted connection\n";
- stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
+ stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT);

                                $transcript .= "! C->S: EHLO www.cacert.org\n";
                                fputs($fp, "EHLO www.cacert.org\r\n");

wytze

2018-06-20 14:58

developer   ~0005605

Please test the fix installed on test.cacert.org against another mail server which is configured for TLSv1.2 only
and report the result here.
Please review the code change, which is based on information in https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php .

Ted

2018-10-22 20:25

administrator   ~0005614

Last edited: 2018-10-22 20:27

View 2 revisions

Since we currently cannot push commits from the testserver I created the "usual" branch bug-1430 with Wytze's proposed changes on git.cacert.org and Github.

This branch has been merged into the testserver branch, which in turn was pulled to the testserver. So now the testserver looks like before (including Wytze's changes), but Git is clean. Or at least I hope so. :-)

So once testing and review is finished bug-1430 can easily be merged into the release branch.

Ted

2018-10-29 19:50

administrator   ~0005619

The change is so small I cannot find anything to comment...

The review is PASSED

dastrath

2018-11-16 18:37

administrator   ~0005681

I tested it in my own environment to my mailserver, and it worked.

There are no real codechanges, only a parameter-change for one command mails can be sent to mailservers using TLS 1.2 or TLS 1.1 only.

Therefore: Review is passed from my site, too.

dastrath

2018-11-16 18:39

administrator   ~0005682

This change can be implemented on the production server.

Ted

2019-02-13 19:38

administrator   ~0005767

Patch sent with change request to critical admins.

Waiting for confirmation before merging the bug-branch into release...

wytze

2019-02-14 10:43

developer   ~0005768

The fix has been installed on the production server on February 14, 2019. See also https://lists.cacert.org/wws/arc/cacert-systemlog/2019-02/msg00002.html

Ted

2019-02-14 20:38

administrator   ~0005769

Branch merged into release branch.

Issue History

Date Modified Username Field Change
2017-12-07 11:06 HansMaulwurf New Issue
2017-12-07 11:06 HansMaulwurf Assigned To => jandd
2017-12-07 12:13 jandd Note Added: 0005564
2017-12-07 12:14 jandd Assigned To jandd => wytze
2017-12-07 12:31 dastrath Note Added: 0005565
2017-12-09 08:56 wytze Note Added: 0005566
2017-12-09 09:00 wytze Note Added: 0005567
2018-06-20 14:51 wytze Note Added: 0005603
2018-06-20 14:52 wytze Status new => fix available
2018-06-20 14:52 wytze Note Added: 0005604
2018-06-20 14:58 wytze Status fix available => needs review & testing
2018-06-20 14:58 wytze Note Added: 0005605
2018-10-22 20:25 Ted Note Added: 0005614
2018-10-22 20:27 Ted Note Edited: 0005614 View Revisions
2018-10-29 19:50 Ted Note Added: 0005619
2018-10-29 19:52 Ted Project Infrastructure => Main CAcert Website
2018-10-29 19:52 Ted Category tools => General
2018-10-29 19:52 Ted Category General =>
2018-10-29 19:52 Ted Reviewed by => Ted
2018-10-29 19:55 Ted Assigned To wytze => dastrath
2018-10-29 19:55 Ted Status needs review & testing => needs review
2018-11-16 18:37 dastrath Note Added: 0005681
2018-11-16 18:39 dastrath Status needs review => ready to deploy
2018-11-16 18:39 dastrath Note Added: 0005682
2018-11-22 21:26 dastrath Assigned To dastrath => wytze
2019-02-13 19:38 Ted Note Added: 0005767
2019-02-13 19:38 Ted Status ready to deploy => solved?
2019-02-13 19:38 Ted Resolution open => fixed
2019-02-14 10:43 wytze Note Added: 0005768
2019-02-14 20:38 Ted Note Added: 0005769
2019-02-14 20:39 Ted Assigned To wytze => Ted
2019-02-22 11:41 wytze Relationship added related to 0001459