New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
attempt to verify SSL/TLS connections by default #339
Conversation
For the record: it'd be nice to catch cases where the connection fails because of validation errors and return a good error, but it doesn't look entirely straightforward. I believe we'd have to add an error handling function which basically did string matching on the error messages to class.smtp.php with |
f9aa51f
to
cf0199b
Compare
Couple of other notes: though it may not be entirely obvious from the code (I did try to mention it in comments), on PHP 5.6, if neither of the variables is set, you're basically getting PHP's default behaviour.
where we do...nothing. This means that for >= 5.6 (unless I was also in a few minds about where to implement this, but in the end I think One more thing - note that this still doesn't do any revocation checks. PHP doesn't do any by default (AFAICS) and neither does OpenSSL. I'm not too beat up about that, because revocation checking is a) really hard and b) of questionable benefit (there are other perspectives, and some later back and forth, but that one's pretty well argued). |
Thanks for all the effort you've put in here. This all sounds very sane. I'm still in xmas mode, so I'll get back on this soon! Have a great new year! |
cf0199b
to
ad073a0
Compare
Would this be optional? Only thought being that if the app already used a custom error handler that suitably logged suppressed errors. (?) At least be sure to |
@w3d I honestly just browsed the doc page for like five minutes before figuring 'eh, this looks like a lot of work' and skipping it. but note custom error handlers don't have to do everything; at any point they can return 'false' and the error falls through to the previous error handler. so my thought was one which simply looks out for SSL/TLS-y errors and does something appropriate, and falls through to the stock handling for everything else. it's one of those things where I'd have to start building it to see how much trouble it is and whether there's any hidden bits I didn't understand. (I think you can also check if there's already a custom error handler, so maybe only do this if there isn't?) the alternative is just to half-ass it and rewrite the generic error to say something like "this may be caused by an SSL/TLS validation error", of course. edit: on the other hand, http://php.net/manual/en/function.openssl-error-string.php is apparently a thing, which...yeah, why is that a thing? but it might be useful here? I don't know if @ suppresses those errors or not. I'll check it out. |
So I poked about at better error handling for a bit but didn't really get anywhere :/ For SSL connections, For TLS connections, we wind up on the expected failure path - STARTTLS fails - so I think that's being handled the way you want it to be handled. I've no idea if you find the SSL failure behaviour acceptable; if not, let me know what you'd like done about it. Note |
Ping? |
Hi - I'm guessing you saw I closed the other TLS-related ticket as that's now handled with the All you've said sounds very sane, and I don't have a problem causing SSL errors where it's appropriate. There have been quite a few changes recently and your patch won't apply cleanly - can you have a look at it and see how all this can fit together? I was planning on releasing 5.2.10 as-is tomorrow, but if you have some time to spend on this, I can postpone that. ...and apologies for not getting back to you before. |
Thanks! I'll see if I can find some time this week - if you don't hear from me by Friday, though, assume I failed :) |
b9c1da3
to
de0987b
Compare
This is an alternative approach to issue PHPMailer#196 (compared to tosiara's PR PHPMailer#197). It attempts a compromise between security and backward compatibility. It introduces two new variables, SMTPTLSRequireValidation and SMTPTLSTrustStore. The former indicates whether certificate validation is required, and has three settings - null, true, and false - with null indicating 'not explicitly chosen'. If set to false, all validation checks are explicitly turned off. If null or true, we try to find a certificate store, either from the setting of SMTPTLSTrustStore (if set), from a couple of well-known locations for the two major distribution groups (PHP < 5.6), or by simply accepting PHP's default behaviour which will use OpenSSL's default trust store if possible (PHP >= 5.6). If we cannot find one, secure connections will fail if RequireValidation is true, or certificate validation will be disabled and a debug message sent if RequireValidation is null. Whenever RequireValidation is true or null, secure connections will fail if the server host name does not match CN in the certificate. The new default behaviour is somewhat tighter than before the change for PHP versions earlier than 5.6 even if a trust store cannot be found, as previously the only check was for self-signed certificates (PHP rejects these by default, at least PHP 5.5 does); the hostname vs. CN check is new in this case. However, it's a much less major change than tosiara's approach.
I've re-diffed the patch. It didn't really need much changing. The |
This is all a bit academic now. PHP 5.6 is the only 5.x version stil current, and it solves the verification problem - it's easier to upgrade PHP than to try to resolve this for older versions. |
And of course, the world has an unblemished track record of only using 'current' versions of PHP ;) but, I don't really care any more; I decided a couple of years back to just stop dealing with anything at all to do with PHP as much as possible. |
Perl, Python and Ruby all did exactly the same as PHP; All started out not verifying certs, and all had exactly the same set of problems when they changed, so this isn't a PHP-specific thing at all. Those that are not upgrading PHP are unlikely to be updating PHPMailer either, so fixing things for legacy issues doesn't really help. |
It wasn't particularly to do with this specific issue. |
This is an alternative approach to issue #196 (compared to
tosiara's PR #197). It attempts a compromise between security
and backward compatibility.
It introduces two new variables, SMTPTLSRequireValidation and
SMTPTLSTrustStore. The former indicates whether certificate
validation is required, and has three settings - null, true,
and false - with null indicating 'not explicitly chosen'. If
set to false, all validation checks are explicitly turned off.
If null or true, we try to find a certificate store, either
from the setting of SMTPTLSTrustStore (if set), from a couple
of well-known locations for the two major distribution groups
(PHP < 5.6), or by simply accepting PHP's default behaviour
which will use OpenSSL's default trust store if possible (PHP >=
5.6). If we cannot find one, secure connections will fail
if RequireValidation is true, or certificate validation will
be disabled and a debug message sent if RequireValidation is
null.
Whenever RequireValidation is true or null, secure connections
will fail if the server host name does not match CN in the
certificate.
The new default behaviour is somewhat tighter than before the
change for PHP versions earlier than 5.6, as previously the
only check was for self-signed certificates (PHP rejects these
by default, at least PHP 5.5 does); the hostname vs. CN check
is new in this case. However, it's a much less major change
than tosiara's approach.