New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL Certificates not verified #2105
Comments
Comment by thomasgraham on 8 Apr 2011 16:22 UTC So I've been having a think about this and there are a couple of considerations. Firstly, lots of people running RoundCube like me don't want an annoying warning popping up all the time when they use it because they are too mean to pay for an SSL certificate so have a self-signed one, but at the very least when the person configuring RoundCube sets up the server it should tell them that the certificate cannot be trusted. At the setup point, perhaps the user should get three options if the certificate can't be trusted:
I'd guess that the third option would be the most sensible really, but would require quite some extra effort. I've added some incomplete code that does some of the tests for expiry etc. but I can't work out from PHP's documentation on openssl functions how you can actually verify a certificate as you might using openssl:
|
Comment by SimpleCat on 8 Apr 2014 00:46 UTC +1, I'd like to see this as an option in config.inc.php. A option that would work for self-signed certificates as well would be to allow the operator to specify the certificate(s) roundcube should trust. Verification is very important - it allows us to know that the connection between roundcube and the mail server isn't being tampered with by 3rd parties. As it stands now roundcube will happily accept all certificates, making interception trivial. (This would apply towards both the SMTP and IMAP parts of roundcube, not just IMAP.) |
Comment by @thomascube on 14 Mar 2015 09:52 UTC I agree that certs checking is more a syasadmin job in the context of webmail application like Roundcube. Most users won't understand messages about certs validity for connections to IMAP or SMTP servers. With the recent changes Roundcube can be configured to not use connections with invalid certs and that's good enough to avoid security breaches and information leaks. |
Status changed by @thomascube on 14 Mar 2015 09:52 UTC new => closed |
Milestone changed by @thomascube on 14 Mar 2015 09:52 UTC later => 1.0.0 |
Reported by maniacmartin on 10 Mar 2009 21:33 UTC as Trac ticket #1485771
When connecting to an IMAP server over SSL, Roundcube will silently continue if the certificate is self-signed or a chain of trust cannot be established with the system-wide certificates in /etc/ssl
Surely this should display a warning to the user in the browser, unless overridden in the settings to explicitly allow self-signed certificates, to prevent MITM attacks
Migrated-From: http://trac.roundcube.net/ticket/1485771
The text was updated successfully, but these errors were encountered: