View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001459Main CAcert Websitemy accountpublic2019-02-22 11:372019-02-25 21:33
Reporterwytze Assigned ToGuKKDevel  
PriorityimmediateSeveritymajorReproducibilityalways
Status fix availableResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001459: e-mail verification fails for many addresses since upgrade from PHP 5.5 to PHP 5.6
Descriptione-mail verification fails for many e-mail addresses since the upgrade of PHP 5.5 to PHP 5.6 on the CAcert main webserver.
This is due to the fact that PHP 5.6 has introduced a new parameter for setting up TLS/SSL connections, verify_peer_name, which is set to TRUE by default:

http://php.net/manual/en/context.ssl.php#refsect1-context.ssl-changelog says

5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed to TRUE.

As a result, any mail address which is served by a mail server which has been setup with a certificate whose CN does not match the MX name, will fail the checkEmail() validation in www/includes/general.php. The error message logged on the server (but not shown to the user :-() is (mailserver.domain.name and mx.domain.name are hypothetical names here):

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=`mailserver.domain.name' did not match expected CN=`mx.domain.name'

While such a mail server setup is not 100% clean, it is very common, especially with hosters hosting many different domains, and CAcert users should be able to get their e-mails verified for such domains (like they were in the past, when PHP 5.5 was still deployed).
Additional InformationThe following code fix solves this problem:

--- general.php.org 2019-02-14 09:17:44.753793847 +0100
+++ general.php 2019-02-22 12:35:20.403100537 +0100
@@ -593,6 +593,7 @@
                                $fp_opt = array(
                                        'ssl' => array(
                                                'verify_peer' => false, // Opportunistic Encryption
+ 'verify_peer_name' => false, // Opportunistic Encryption
                                                )
                                        );
                                $fp_ctx = stream_context_create($fp_opt);
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0001430 closedTed e-mail verification fails on TLS1.2 only mx severs. 

Activities

wytze

2019-02-22 11:39

developer   ~0005774

Last edited: 2019-02-22 11:42

 Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix listed in the Additional Information section has been deployed immediately on the production server as an emergency patch. Testing is therefore only possible on the test1.cacert.org server.

wytze

2019-02-22 16:21

developer   ~0005775

Retrospective log analysis of the production server reveals that this failure has occurred 9580 times, between Apr 16 16:08:39 2018 and Feb 22 11:46:52 2019. Hence an emergency patch seems justified here.

wytze

2019-02-22 16:23

developer   ~0005776

For proper testing on test.cacert.org, the checkEmailDummy function needs to be eradicated!

Ted

2019-02-25 21:31

administrator   ~0005777

Created new branch bug-1459 with Wytze's changes and pushed it to github and git.cacert.org.

Created new test branch test-1459 with enabled mail checking and checked it out on test.cacert.org. Note that Wytze's changes are not yet merged in, so it is now possible to to tests with the old version of mail checking.

Ted

2019-02-25 21:33

administrator   ~0005778

Reviewed the change. It is PASSED because there is no policy stating that SSL certificates of mail servers are checked strictly. Usually we even accept unencrypted mailserver connections...

Issue History

Date Modified Username Field Change
2019-02-22 11:37 wytze New Issue
2019-02-22 11:37 wytze Assigned To => GuKKDevel
2019-02-22 11:39 wytze Test Instructions Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix shown below has been deployed immediately on the production server as an emergency patch. Testing is theref =>
2019-02-22 11:39 wytze Note Added: 0005774
2019-02-22 11:40 wytze Description Updated
2019-02-22 11:41 wytze Relationship added related to 0001430
2019-02-22 11:42 wytze Note Edited: 0005774
2019-02-22 16:21 wytze Note Added: 0005775
2019-02-22 16:23 wytze Status new => fix available
2019-02-22 16:23 wytze Note Added: 0005776
2019-02-25 21:31 Ted Note Added: 0005777
2019-02-25 21:33 Ted Note Added: 0005778