SSL Certificates not verified

[rcubetrac]

Reported by maniacmartin on 10 Mar 2009 21:33 UTC as Trac ticket #1485771

When connecting to an IMAP server over SSL, Roundcube will silently continue if the certificate is self-signed or a chain of trust cannot be established with the system-wide certificates in /etc/ssl

Surely this should display a warning to the user in the browser, unless overridden in the settings to explicitly allow self-signed certificates, to prevent MITM attacks

Migrated-From: http://trac.roundcube.net/ticket/1485771

[rcubetrac]

Comment by thomasgraham on 8 Apr 2011 16:22 UTC

So I've been having a think about this and there are a couple of considerations. Firstly, lots of people running RoundCube like me don't want an annoying warning popping up all the time when they use it because they are too mean to pay for an SSL certificate so have a self-signed one, but at the very least when the person configuring RoundCube sets up the server it should tell them that the certificate cannot be trusted.

At the setup point, perhaps the user should get three options if the certificate can't be trusted:

• ignore forever (maybe this should only be allowed in the case where the same server that hosts RoundCube is being used for the IMAP server?)
• accept for all users, until the certificate changes or expires (question is, what happens then? I suppose probably a warning for all users until the admin updates settings?)
• give each user a warning when the certificate isn't trusted and allow them to trust the certificate until it changes when they'd be presented with the same warning (this is what happens in email clients such as Mail.app and Thunderbird, and would obviously be required for installations which allow multiple IMAP servers to be used)

I'd guess that the third option would be the most sensible really, but would require quite some extra effort. I've added some incomplete code that does some of the tests for expiry etc. but I can't work out from PHP's documentation on openssl functions how you can actually verify a certificate as you might using openssl:

my.domain:~# openssl verify -CApath /etc/ssl/certs/ /etc/courier/imapd.pem[
/etc/courier/imapd.pem: /C=GB/ST=SomeCity/L=MyTown/O=SomeOrg/OU=IMAP/CN=my.domain.name/emailAddress=email@my.domain.name [BR] error 18 at 0 depth lookup:self signed certificate

[rcubetrac]

Comment by SimpleCat on 8 Apr 2014 00:46 UTC

+1, I'd like to see this as an option in config.inc.php. A option that would work for self-signed certificates as well would be to allow the operator to specify the certificate(s) roundcube should trust.

Verification is very important - it allows us to know that the connection between roundcube and the mail server isn't being tampered with by 3rd parties. As it stands now roundcube will happily accept all certificates, making interception trivial.

(This would apply towards both the SMTP and IMAP parts of roundcube, not just IMAP.)

[rcubetrac]

Comment by @alecpl on 6 Jul 2014 08:44 UTC

Since commit 109bcce you can at least configure Roundcube/PHP to fail if cert is not trusted. The same can be done for SMTP. As cert checking is an administrative feature I don't think there's much sense in displaying warnings to the user.

[rcubetrac]

Comment by @thomascube on 14 Mar 2015 09:52 UTC

I agree that certs checking is more a syasadmin job in the context of webmail application like Roundcube. Most users won't understand messages about certs validity for connections to IMAP or SMTP servers. With the recent changes Roundcube can be configured to not use connections with invalid certs and that's good enough to avoid security breaches and information leaks.

[rcubetrac]

Status changed by @thomascube on 14 Mar 2015 09:52 UTC

new => closed

[rcubetrac]

Milestone changed by @thomascube on 14 Mar 2015 09:52 UTC

later => 1.0.0