View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001430 | Main CAcert Website | public | 2017-12-07 11:06 | 2021-04-05 15:18 | |
Reporter | HansMaulwurf | Assigned To | Ted | ||
Priority | normal | Severity | block | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Summary | 0001430: e-mail verification fails on TLS1.2 only mx severs. | ||||
Description | When you add an new email address to your profile, the verification will fail on secure mail server. Because the outgoing cacert mail server can't handle TLS1.2 only servers. | ||||
Steps To Reproduce | 1. add an new email address to your profile 2. the verification process fails. | ||||
Additional Information | Here the log of an example mx server: Dec 7 11:56:41 system postfix/smtpd[14310]: connect from tverify.cacert.org[2001:7b8:3:9c::247] Dec 7 11:56:43 system postfix/smtpd[14310]: SSL_accept error from tverify.cacert.org[2001:7b8:3:9c::247]: -1 Dec 7 11:56:43 system postfix/smtpd[14310]: warning: TLS library problem: 14310:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Dec 7 11:56:44 system postfix/smtpd[14310]: lost connection after STARTTLS from tverify.cacert.org[2001:7b8:3:9c::247] Dec 7 11:56:44 system postfix/smtpd[14310]: disconnect from tverify.cacert.org[2001:7b8:3:9c::247] | ||||
Tags | No tags attached. | ||||
Reviewed by | Ted | ||||
Test Instructions | |||||
|
tverify is an alias of http://wiki.cacert.org/SystemAdministration/Systems/Webdb |
|
The support of TLSv1.1 is mandatory according to HIPAA guidance. (Nevertheless we should be able to send mails to TLS 1.2-Mailservers ... I'll run some tests to my own mailserver). Many thanks for giving this information ... I'll pass this to support for cases, where the ping-mail wasn't received ... |
|
There are two steps in verifying a new e-mail address supplied by a user. The first step is carried out by the CAcert application itself, by setting up a connection to the required mail server (see the checkEmail function in includes/general.php). The second step is done by actually sending an e-mail through the Postfix mail server running on the webdb server. In this particular case, the second step is never reached because the first step fails. I am suspecting that the failure of the first step may be due to running a fairly old version of PHP (5.4.45) on the webdb server. When we upgrade the webdb server to the current Debian oldstable release, PHP will be upgraded to 5.6.X, which *might* resolve this issue. This Debian release upgrade needs to be done some time soon, but it will also be the last possible Debian release upgrade without a serious rewrite of the CAcert application -- that application is barely suitable for running on PHP 5.6, but nothing more recent. |
|
By the way, the connect from tverify.cacert.org is due to the lack of configurability of the CAcert application code -- the PHP code does not support specifying the IPv4 or IPv6 address from which this outgoing connection is made, it simply picks one of the available ones :-( The Postfix server is more well-behaved, it can be and is configured to use the www.cacert.org IPv4/IPv6 addresses. |
|
With PHP 5.6.33 present on the current CAcert servers, this issue can be fixed with the following patch: diff --git a/includes/general.php b/includes/general.php index 902623a..d1431bc 100644 --- a/includes/general.php +++ b/includes/general.php @@ -768,7 +768,7 @@ } $transcript .= "- Establishing encrypted connection\n"; - stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT); + stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT); $transcript .= "! C->S: EHLO www.cacert.org\n"; fputs($fp, "EHLO www.cacert.org\r\n"); This has been verified with a test on test.cacert.org, adding a new mail address for a mail server which was configured to only support TLSv1.2, Without the code change shown above, the connection would fail; after adding the code change, the connection succeeded and the e-mail address could be added. |
|
diff --git a/includes/general.php b/includes/general.php index 902623a..d1431bc 100644 --- a/includes/general.php +++ b/includes/general.php @@ -768,7 +768,7 @@ } $transcript .= "- Establishing encrypted connection\n"; - stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT); + stream_socket_enable_crypto($fp, true, STREAM_CRYPTO_METHOD_TLSv1_0_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_1_CLIENT|STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT); $transcript .= "! C->S: EHLO www.cacert.org\n"; fputs($fp, "EHLO www.cacert.org\r\n"); |
|
Please test the fix installed on test.cacert.org against another mail server which is configured for TLSv1.2 only and report the result here. Please review the code change, which is based on information in https://secure.php.net/manual/en/function.stream-socket-enable-crypto.php . |
|
Since we currently cannot push commits from the testserver I created the "usual" branch bug-1430 with Wytze's proposed changes on git.cacert.org and Github. This branch has been merged into the testserver branch, which in turn was pulled to the testserver. So now the testserver looks like before (including Wytze's changes), but Git is clean. Or at least I hope so. :-) So once testing and review is finished bug-1430 can easily be merged into the release branch. |
|
The change is so small I cannot find anything to comment... The review is PASSED |
|
I tested it in my own environment to my mailserver, and it worked. There are no real codechanges, only a parameter-change for one command mails can be sent to mailservers using TLS 1.2 or TLS 1.1 only. Therefore: Review is passed from my site, too. |
|
This change can be implemented on the production server. |
|
Patch sent with change request to critical admins. Waiting for confirmation before merging the bug-branch into release... |
|
The fix has been installed on the production server on February 14, 2019. See also https://lists.cacert.org/wws/arc/cacert-systemlog/2019-02/msg00002.html |
|
Branch merged into release branch. |
Date Modified | Username | Field | Change |
---|---|---|---|
2017-12-07 11:06 | HansMaulwurf | New Issue | |
2017-12-07 11:06 | HansMaulwurf | Assigned To | => jandd |
2017-12-07 12:13 | jandd | Note Added: 0005564 | |
2017-12-07 12:14 | jandd | Assigned To | jandd => wytze |
2017-12-07 12:31 | egal | Note Added: 0005565 | |
2017-12-09 08:56 | wytze | Note Added: 0005566 | |
2017-12-09 09:00 | wytze | Note Added: 0005567 | |
2018-06-20 14:51 | wytze | Note Added: 0005603 | |
2018-06-20 14:52 | wytze | Status | new => fix available |
2018-06-20 14:52 | wytze | Note Added: 0005604 | |
2018-06-20 14:58 | wytze | Status | fix available => needs review & testing |
2018-06-20 14:58 | wytze | Note Added: 0005605 | |
2018-10-22 20:25 | Ted | Note Added: 0005614 | |
2018-10-22 20:27 | Ted | Note Edited: 0005614 | |
2018-10-29 19:50 | Ted | Note Added: 0005619 | |
2018-10-29 19:52 | Ted | Project | Infrastructure => Main CAcert Website |
2018-10-29 19:52 | Ted | Category | tools => General |
2018-10-29 19:52 | Ted | Category | General => |
2018-10-29 19:52 | Ted | Reviewed by | => Ted |
2018-10-29 19:55 | Ted | Assigned To | wytze => egal |
2018-10-29 19:55 | Ted | Status | needs review & testing => needs review |
2018-11-16 18:37 | egal | Note Added: 0005681 | |
2018-11-16 18:39 | egal | Status | needs review => ready to deploy |
2018-11-16 18:39 | egal | Note Added: 0005682 | |
2018-11-22 21:26 | egal | Assigned To | egal => wytze |
2019-02-13 19:38 | Ted | Note Added: 0005767 | |
2019-02-13 19:38 | Ted | Status | ready to deploy => solved? |
2019-02-13 19:38 | Ted | Resolution | open => fixed |
2019-02-14 10:43 | wytze | Note Added: 0005768 | |
2019-02-14 20:38 | Ted | Note Added: 0005769 | |
2019-02-14 20:39 | Ted | Assigned To | wytze => Ted |
2019-02-22 11:41 | wytze | Relationship added | related to 0001459 |
2021-04-05 15:18 | egal | Status | solved? => closed |