php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76928 Unable to connect via TLS 1.2
Submitted: 2018-09-24 18:04 UTC Modified: -
Votes:5
Avg. Score:4.6 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:5 (100.0%)
From: post at rolandgruber dot de Assigned:
Status: Open Package: IMAP related
PHP Version: 7.2.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: post at rolandgruber dot de
New email:
PHP Version: OS:

 

 [2018-09-24 18:04 UTC] post at rolandgruber dot de
Description:
------------
It seems that the PHP IMAP module depends on some old library (libc-client2007e) that does not support TLS v1.2. On imap_open() an error "TLS/SSL failure for <my_imap_server>: SSL negotiation failed" is reported.

Please support recent TLS versions. This is also a security issue.

User report:

The IMAP server is running cyrus 2.5.
I had to modify the parameter tls_versions in /etc/imapd.conf from
tls_versions: tls1_2 to
tls_versions: tls1_0 tls1_1 tls1_2
to make the imapAccess work, which is less secure now.

Expected result:
----------------
IMAP connections with TLS v1.2 are working.

Actual result:
--------------
TLS/SSL failure for <my_imap_server>: SSL negotiation failed

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-25 21:09 UTC] aurelien dot grimal at tech-tips dot fr
The problem is only concerning IMAP with StartTLS (port 143) and not direct SSL on IMAPS (port 993).
So IMAP with StartTLS can't use further than TLS1.0, and IMAP on SSL can use TLS1.2.
 [2018-09-25 22:02 UTC] spam2 at rhsoft dot net
be happy when it works at all and use some proxy in localhost which handles the encryption over wire

https://bugzilla.redhat.com/show_bug.cgi?id=1609777

here after upgrade to Fedora 28 the extension without even touchd it is enough that a graceful reload leads in an endless loop of httpd crashes

sadly there is no useable replacement for my usecase testing mail servers for example if imap/pop3 deliver the same content since we had troubles of that sort in production and so tests exists with php-imap
 [2018-11-06 00:37 UTC] tbk at jjtc dot eu
I ran into the same issue when trying to setup NextCloud v14 with “External user support” (user_external) IMAP authentication and trying to chase it down lead me down the rabbit hole.

Two PHP alternatives to php-imap/uw-imap:
Rough "user space" implementation of uw-imap - https://www.drupal.org/files/issues/mailhandler.user_imap.patch
Horde IMAP Client library - https://wiki.horde.org/Project/HordeImapLib


History time... Here we go!


Mark Crispin the inventor of the IMAP protocol and creator of imap (imap-uw/uw-imap/lic-client/c-client) left UW (University of Washington) in 2008.
https://en.wikipedia.org/wiki/Mark_Crispin
https://www.washington.edu/imap/
https://en.wikipedia.org/wiki/UW_IMAP

After he left UW he created a fork called Panda IMAP. Development stopped in 2012 when Mark Crispin passed away.
https://web.archive.org/web/20120716204450/http://panda.com/imap/changes.html

The latest version of the source (from 2012) was made available by Jonathan Abbey is available at https://github.com/jonabbey/panda-imap

According to this PR comment in a Panda IMAP fork by nkhorman https://github.com/nkhorman/panda-imap/issues/1#issuecomment-294192075 jonabbey also passed away so Panda IMAP is also left without a maintainer.

There are a ton of different patches and forks by different distros/people/projects. To put it bluntly it is a complete mess and I believe it would benefit all if the efforts were consolidated.

Forks & patches:
https://repo.or.cz/alpine.git/history/HEAD:/imap
https://svnweb.freebsd.org/ports/head/mail/panda-imap/
https://svnweb.freebsd.org/ports/head/mail/panda-cclient/
https://svnweb.freebsd.org/ports/head/mail/imap-uw/files/
https://reviews.freebsd.org/D4108
https://github.com/openembedded/meta-openembedded/tree/master/meta-oe/recipes-devtools/uw-imap
https://github.com/slimlv/panda-imap/commits/master
https://github.com/nkhorman/panda-imap/commits/master
https://github.com/sequenced/panda-imap/commits/master
https://www.sequencedsystems.com/
https://sources.debian.org/patches/uw-imap/8:2007f~dfsg-5/
https://github.com/openwrt/packages/tree/master/libs/uw-imap/patches
https://gitweb.gentoo.org/repo/gentoo.git/tree/net-libs/c-client/files
https://src.fedoraproject.org/rpms/uw-imap/tree/master
http://mailman13.u.washington.edu/pipermail/imap-uw/


Some of the GitHub forks have TLSv1.2 and the Alpine fork (includes c-client) by Eduardo Chappa has TLSv1.3 support.


An alternative to "fixing" Panda IMAP would be to rewrite php-imap based upon another lib e.g. https://github.com/KDE/kimap2, https://github.com/MailCore/mailcore2 or https://github.com/dovecot/imaptest/tree/master/src
 [2018-11-06 02:26 UTC] spam2 at rhsoft dot net
well, on Fedora 28 a simple "apachectl graceful" with mod_php leads in a endless segfault loop of httpd-forkers if php-imap is just loaded - a terrible mess and no real replacemeanct supporting IMAP *and* POP3 with the same API :-(
 [2019-05-08 22:05 UTC] kieran at miami-nice dot co dot uk
ext-imap is unmaintained: https://wiki.php.net/todo/extensions

c-client 2007f is the latest and as the link says it does seem some repositories are still maintaining it (EPEL) but whether they have TLS 1.2 support I don't know.

More tempted to just replace ext-imap with https://dev.horde.org/imap_client/
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Nov 15 13:01:35 2019 UTC