Mail: STARTTLS Certificate Check

Created on 15 Feb 2017 · 10Comments · Source: nextcloud/mail

Hi Guys,
im just curious, but does the App validate the Remote Certificate when connecting via IMAPS or SMTPS?
I've manually configured it to connect to my Mailserver.
But i've used a different Hostname which is not included in the Certificates Common Name

Unfortunately it connects and just works. Without any Warnings to the User

Does it validate the Remote Certificate? And if yes, which Fields?

Steps to reproduce

Connect via "Manual Config" to an own Mailserver with STARTLS
Hostname of Mailserver doesnt match the Entries in "Common Name" of the Mailservers Certificate
Mail App connects successfully

Expected behaviour

Print Warning "TLS Cert Hostname Mismatch" + Option to Accept this Issue

Actual behaviour

Mail App connects successfully

Mail app

Mail app version: (see apps admin page)
0.6.2

Mailserver or service: (e.g. Outlook, Yahoo, Gmail, Exchange,...)
Dovecot

Transport security - IMAP: (None, SSL, TLS, STARTTLS)
STARTTLS
Transport security - SMTP: (None, SSL, TLS, STARTTLS)
STARTTLS

1. to develop help wanted high security

Source

fti7

Most helpful comment

@nickvergessen @ChristophWurst thx for fixing it :-)
Sure, use this please: Frank Isemann frank@isemann.name

fti7 on 24 Mar 2020

❤2

All 10 comments

Hey @fti7,

unfortunately, I don't know whether the Horde libs validate the certificate or not. As you've observed, it might actually not do so. Check out https://github.com/horde/horde/blob/d5b93c63782157370a47f9ce93ce27f21d3d6b87/framework/Imap_Client/lib/Horde/Imap/Client/Base.php#L168-L236. This is the constructor of the IMAP client implementation.

ChristophWurst on 15 Feb 2017

Check https://bugs.horde.org/ticket/13730
It looks like verify_peer/verify_peer_name can be enabled by using the "context" parameter.
Also the last Post in the Bug report sounds like this should be implemented directly in the Clients

Horde does not verify the peer certificate during TLS handshake and
accepts all ciphers when acting as client. This is probably to enable
self-signed certificates. However, in an environment where a secure
connection matters this behavior is not acceptable. Therefore I added
the possibility to enable peer verification and cipher selection. This
options can be found in the openssl tab in horde's configuration. If
enabled, this options will be used by client.php to verify the peer
certificate during the TLS handshake.

fti7 on 15 Feb 2017

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] on 15 Nov 2018

Is this fixed in the meanwhile?

fti7 on 15 Nov 2018

Nope.

ChristophWurst on 15 Nov 2018

@ChristophWurst
How bad is this?
As a lawyer I manage sensitive information via email. Should I use it any more? (not to mention I trusted all your public materials on security)

laurentiu2 on 21 Feb 2020

We have to evaluate internally. So far I've not been able to reproduce with an account that has tls set as security option, because Horde switches to secure TLS options by default. I'll keep you posted.

ChristophWurst on 21 Feb 2020

@laurentiu2 the connection between your nextcloud server and your email provider can be intercepted without you realizing it. So if they're both on the same machine you're probably fine. If there's the internet between your nextcloud and your email provider, you should stop using it for now.

AuspeXeu on 4 Mar 2020

Thanks a lot @fti7 for your report again. This has been resolved in our latest maintenance releases and we're working on the advisories at the moment.

Please let us know how you'd like to be credited in our official advisory. We require the following information: