[RCD] CA validation

Emmanuel Dreyfus manu at netbsd.org
Sun Nov 24 06:20:56 CET 2013


Right now, Roundcube supports TLS, but there is no way to enforce IMAP
and SMTP server certificate validation. This is very infortunate, since
it means RoundCube has no way to detect trivial MiM attacks using a
self-signed certificate.

Let us look at the SMTP side. Connexion handle is obtained in
$this->conn = new Net_SMTP($smtp_host, $smtp_port, $helo_host);

Net_SMTP allows a stream context options to be provided, and this stream
context options can be used to enforce CA valdation. It would work like

$opts = array(
       'ssl' => array(
                  'verify_peer' => TRUE,
                  'verify_depth' => 5,
                  'cafile' => '/path/to_ca_file', 
$this->conn = 
    new Net_SMTP($smtp_host, $smtp_port, $helo_host, false, 0, $opts);
I would like to contribute such a change. Obviously, ca_file must be
available as a config option (what name?). Is there any comment on the

I have not looked at the IMAP side: I use imapproxy for connexion
caching, and therefore Roundcube is not in charge of TLS.

Emmanuel Dreyfus
manu at netbsd.org

More information about the dev mailing list