IMAP STARTTLS failing with TLSv1.2 only server #4955

Closed
rcubetrac opened this Issue Jan 14, 2016 · 5 comments

Comments

Projects
None yet
2 participants
@rcubetrac

Reported by mbeichorn on 14 Jan 2016 05:24 UTC as Trac ticket #1490640

IMAP server is Dovecot 2.2.21
Roundcube is 1.1.3
PHP is 5.6.17

While performing the IMAP test using the installer, step 3

installer test reports:

IMAP connect:  NOT OK(Login failed for ike from 10.0.1.0(X-Real-IP: 192.168.2.2,X-Forwarded-For: 192.168.2.2). Unable to negotiate TLS)

roundcube imap log:

[22:56:38 -0500](13-Jan-2016): <lsdh5ojl> [S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED](0A9A]) Dovecot ready.
[22:56:38 -0500](13-Jan-2016): <lsdh5ojl> [C: A0001 STARTTLS
[13-Jan-2016 22:56:38 -0500](0A9A]): <lsdh5ojl> [0A9A] S: A0001 OK Begin TLS negotiation now.

imap server log:

Jan 13 22:56:38 imap dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Jan 13 22:56:38 imap dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=10.0.1.11, lip=10.0.1.9, TLS handshaking: SSL_accept() failed: Unknown error, session=<KiERRkMp6PYKAAEL>

IMAP server (Dovecot) is configured for TLSv1.2 only.

I was able to force TLSv1.2 with the following diff:

--- program/lib/Roundcube/rcube_imap_generic.php.bak    2016-01-13 23:04:48.258176423 -0500
+++ program/lib/Roundcube/rcube_imap_generic.php        2016-01-13 23:05:21.498171055 -0500
@@ -910,7 +910,7 @@
                 return false;
             }

-            if (!stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+            if (!stream_socket_enable_crypto($this->fp, true, STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT)) {
                 $this->setError(self::ERROR_BAD, "Unable to negotiate TLS");
                 $this->closeConnection();
                 return false;

However http://php.net/manual/en/migration56.openssl.php indicates that STREAM_CRYPTO_METHOD_TLS_CLIENT should work for any version of TLS. Unfortunately it is not working in this case.

Migrated-From: http://trac.roundcube.net/ticket/1490640

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 14, 2016

Comment by @alecpl on 14 Jan 2016 07:20 UTC

This was fixed in 191a6a6. Need backporting to 1.1.

Comment by @alecpl on 14 Jan 2016 07:20 UTC

This was fixed in 191a6a6. Need backporting to 1.1.

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 14, 2016

Owner changed by @alecpl on 14 Jan 2016 07:20 UTC

=> alec

Owner changed by @alecpl on 14 Jan 2016 07:20 UTC

=> alec

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 14, 2016

Milestone changed by @alecpl on 14 Jan 2016 07:20 UTC

later => 1.1.5

Milestone changed by @alecpl on 14 Jan 2016 07:20 UTC

later => 1.1.5

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 14, 2016

Comment by @alecpl on 14 Jan 2016 11:52 UTC

Backported to release-1.0 and release-1.1 branch.

Comment by @alecpl on 14 Jan 2016 11:52 UTC

Backported to release-1.0 and release-1.1 branch.

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 14, 2016

Status changed by @alecpl on 14 Jan 2016 11:52 UTC

new => closed

Status changed by @alecpl on 14 Jan 2016 11:52 UTC

new => closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment