View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001459||Main CAcert Website||my account||public||2019-02-22 11:37||2019-02-25 21:33|
|Summary||0001459: e-mail verification fails for many addresses since upgrade from PHP 5.5 to PHP 5.6|
|Description||e-mail verification fails for many e-mail addresses since the upgrade of PHP 5.5 to PHP 5.6 on the CAcert main webserver.|
This is due to the fact that PHP 5.6 has introduced a new parameter for setting up TLS/SSL connections, verify_peer_name, which is set to TRUE by default:
5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed to TRUE.
As a result, any mail address which is served by a mail server which has been setup with a certificate whose CN does not match the MX name, will fail the checkEmail() validation in www/includes/general.php. The error message logged on the server (but not shown to the user :-() is (mailserver.domain.name and mx.domain.name are hypothetical names here):
PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=`mailserver.domain.name' did not match expected CN=`mx.domain.name'
While such a mail server setup is not 100% clean, it is very common, especially with hosters hosting many different domains, and CAcert users should be able to get their e-mails verified for such domains (like they were in the past, when PHP 5.5 was still deployed).
|Additional Information||The following code fix solves this problem:|
--- general.php.org 2019-02-14 09:17:44.753793847 +0100
+++ general.php 2019-02-22 12:35:20.403100537 +0100
@@ -593,6 +593,7 @@
$fp_opt = array(
'ssl' => array(
'verify_peer' => false, // Opportunistic Encryption
+ 'verify_peer_name' => false, // Opportunistic Encryption
$fp_ctx = stream_context_create($fp_opt);
|Tags||No tags attached.|
Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix listed in the Additional Information section has been deployed immediately on the production server as an emergency patch. Testing is therefore only possible on the test1.cacert.org server.
||Retrospective log analysis of the production server reveals that this failure has occurred 9580 times, between Apr 16 16:08:39 2018 and Feb 22 11:46:52 2019. Hence an emergency patch seems justified here.|
||For proper testing on test.cacert.org, the checkEmailDummy function needs to be eradicated!|
Created new branch bug-1459 with Wytze's changes and pushed it to github and git.cacert.org.
Created new test branch test-1459 with enabled mail checking and checked it out on test.cacert.org. Note that Wytze's changes are not yet merged in, so it is now possible to to tests with the old version of mail checking.
||Reviewed the change. It is PASSED because there is no policy stating that SSL certificates of mail servers are checked strictly. Usually we even accept unencrypted mailserver connections...|
|2019-02-22 11:37||wytze||New Issue|
|2019-02-22 11:37||wytze||Assigned To||=> GuKKDevel|
|2019-02-22 11:39||wytze||Test Instructions||Due to the severity of this problem, which affects many domains as proven by a quick scan of the error logs for this specific message, the code fix shown below has been deployed immediately on the production server as an emergency patch. Testing is theref =>|
|2019-02-22 11:39||wytze||Note Added: 0005774|
|2019-02-22 11:40||wytze||Description Updated|
|2019-02-22 11:41||wytze||Relationship added||related to 0001430|
|2019-02-22 11:42||wytze||Note Edited: 0005774|
|2019-02-22 16:21||wytze||Note Added: 0005775|
|2019-02-22 16:23||wytze||Status||new => fix available|
|2019-02-22 16:23||wytze||Note Added: 0005776|
|2019-02-25 21:31||Ted||Note Added: 0005777|
|2019-02-25 21:33||Ted||Note Added: 0005778|