starred/cypht

Fork 0

mirror of https://github.com/cypht-org/cypht.git synced 2026-04-25 04:56:03 +03:00

[GH-ISSUE #137] TLS 1.0 usage hardcoded (crypto_type option in stream_socket_enable_crypto calls) #113

New issue

Closed

opened 2026-02-25 21:34:11 +03:00 by kerem · 5 comments

kerem commented

2026-02-25 21:34:11 +03:00

Owner

Originally created by @jmce on GitHub (Oct 15, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/137

Originally assigned to: @Danelif on GitHub.

modules/imap/hm-imap.php
modules/pop3/hm-pop3.php
modules/smtp/hm-smtp.php

stream_socket_enable_crypto() is called with STREAM_CRYPTO_METHOD_TLS_CLIENT as crypto_type. According to a note in http://php.net/manual/en/function.stream-socket-enable-crypto.php this restricts communication to TLS 1.0 (since PHP version 5.6.7) — thus failing to connect to servers already not supporting TLS 1.0.

I noticed this by configuring cypht to connect to dovecot (IMAP, port 143) and postfix (SMTP 'submission', port 587) using STARTTLS. No problem on IMAP (by then dovecot
was set up to refuse SSLv2 & SSLv3 only), but postfix was already configured to only accept TLS 1.2 on submission. As a result, cypht was unable to send email, with postfix log entries like

… postfix/submission/smtpd[20038]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

My quick fix (just having to support local connections) was to replace STREAM_CRYPTO_METHOD_TLS_CLIENT with STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT.
For general use I suppose the ORing suggested in http://php.net/manual/en/function.stream-socket-enable-crypto.php would be the way to go, but it would be even nicer for cypht to allow configuring this separately for each connection (.ini file for main connections, user web interface for additional ones).

Version info:

cypht master.zip files from 2016-10-12 14:48:18 +0000 on Debian Jessie [8.6] with

nginx-… 1.9.10-1~bpo8+3
php5-… 5.6.26+dfsg-0+deb8u1 (using php5-fpm)
postfix-… 2.11.3-1
dovecot-… 1:2.2.24-1~bpo8+1
openssl-… 1.0.2j-1~bpo8+1
libssl1.0.0 1.0.2j-1~bpo8+1

Originally created by @jmce on GitHub (Oct 15, 2016). Original GitHub issue: https://github.com/cypht-org/cypht/issues/137 Originally assigned to: @Danelif on GitHub. In - modules/imap/hm-imap.php - modules/pop3/hm-pop3.php - modules/smtp/hm-smtp.php `stream_socket_enable_crypto()` is called with `STREAM_CRYPTO_METHOD_TLS_CLIENT` as `crypto_type`. According to a note in http://php.net/manual/en/function.stream-socket-enable-crypto.php this restricts communication to TLS 1.0 (since PHP version 5.6.7) — thus failing to connect to servers already not supporting TLS 1.0. I noticed this by configuring cypht to connect to dovecot (IMAP, port 143) and postfix (SMTP 'submission', port 587) using STARTTLS. No problem on IMAP (by then dovecot was set up to refuse SSLv2 & SSLv3 only), but postfix was already configured to only accept TLS 1.2 on submission. As a result, cypht was unable to send email, with postfix log entries like > … postfix/submission/smtpd[20038]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: My quick fix (just having to support local connections) was to replace `STREAM_CRYPTO_METHOD_TLS_CLIENT` with `STREAM_CRYPTO_METHOD_TLSv1_2_CLIENT`. For general use I suppose the ORing suggested in http://php.net/manual/en/function.stream-socket-enable-crypto.php would be the way to go, but it would be even nicer for cypht to allow configuring this separately for each connection (.ini file for main connections, user web interface for additional ones). #### Version info: cypht master.zip files from 2016-10-12 14:48:18 +0000 on Debian Jessie [8.6] with - nginx-… 1.9.10-1~bpo8+3 - php5-… 5.6.26+dfsg-0+deb8u1 (using php5-fpm) - postfix-… 2.11.3-1 - dovecot-… 1:2.2.24-1~bpo8+1 - openssl-… 1.0.2j-1~bpo8+1 - libssl1.0.0 1.0.2j-1~bpo8+1

kerem

2026-02-25 21:34:11 +03:00

closed this issue
added the
imap

smtp

pop3
labels

kerem commented

2026-02-25 21:34:12 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 17, 2016):

For now I implemented the suggested work around from the php.net comment. Seems like a reasonable work around until I can come up with some custom options. Putting some optional stuff in the ini file for this that falls back to the default makes sense. I'm not super keen on adding it to the UI, but we already have some confusion about TLS vs STARTTLS so maybe I need to revisit that anyway.

Thanks for the great feedback!

@jasonmunro commented on GitHub (Oct 17, 2016): For now I implemented the suggested work around from the php.net comment. Seems like a reasonable work around until I can come up with some custom options. Putting some optional stuff in the ini file for this that falls back to the default makes sense. I'm not super keen on adding it to the UI, but we already have some confusion about TLS vs STARTTLS so maybe I need to revisit that anyway. Thanks for the great feedback!

kerem commented

2026-02-25 21:34:12 +03:00

Author

Owner

@marclaporte commented on GitHub (May 7, 2024):

@Danelif please advise

@marclaporte commented on GitHub (May 7, 2024): @Danelif please advise

kerem commented

2026-02-25 21:34:12 +03:00

Author

Owner

@IrAlfred commented on GitHub (Sep 26, 2025):

@Danelif What's the next step here ?

@IrAlfred commented on GitHub (Sep 26, 2025): @Danelif What's the next step here ?

kerem commented

2026-02-25 21:34:12 +03:00

Author

Owner

@Danelif commented on GitHub (Sep 26, 2025):

@IrAlfred need to understand deeply and get back
Let me create a Task to be tracked

@Danelif commented on GitHub (Sep 26, 2025): @IrAlfred need to understand deeply and get back Let me create a Task to be tracked

kerem commented

2026-02-25 21:34:12 +03:00

Author

Owner

@Danelif commented on GitHub (Oct 8, 2025):

@IrAlfred @jmce @marclaporte https://github.com/cypht-org/cypht/pull/1732

@Danelif commented on GitHub (Oct 8, 2025): @IrAlfred @jmce @marclaporte https://github.com/cypht-org/cypht/pull/1732