[RCD] CA validation

Emmanuel Dreyfus manu at netbsd.org
Sun Nov 24 06:20:56 CET 2013


Hi

Right now, Roundcube supports TLS, but there is no way to enforce IMAP
and SMTP server certificate validation. This is very infortunate, since
it means RoundCube has no way to detect trivial MiM attacks using a
self-signed certificate.

Let us look at the SMTP side. Connexion handle is obtained in
program/lib/Roundcube/rcube_smtp.php:
$this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host);

Net_SMTP allows a stream context options to be provided, and this stream
context options can be used to enforce CA valdation. It would work like
this:

$opts = array(
       'ssl' => array(
                  'verify_peer' => TRUE,
                  'verify_depth' => 5,
                  'cafile' => '/path/to_ca_file', 
        ),
);
$this->conn = 
    new Net_SMTP($smtp_host, $smtp_port, $helo_host, false, 0, $opts);
   
I would like to contribute such a change. Obviously, ca_file must be
available as a config option (what name?). Is there any comment on the
approach?   

I have not looked at the IMAP side: I use imapproxy for connexion
caching, and therefore Roundcube is not in charge of TLS.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu at netbsd.org


More information about the dev mailing list