|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #78156 /tls and /ssl clarity
Submitted: 2019-06-13 12:46 UTC Modified: -
From: kieran at miami-nice dot co dot uk Assigned:
Status: Open Package: IMAP related
PHP Version: 7.3.6 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
45 - 13 = ?
Subscribe to this entry?

 [2019-06-13 12:46 UTC] kieran at miami-nice dot co dot uk
This relates to

I'm repurposing that issue as a documentation issue for a couple of reasons:

1. ext-imap is listed as unmaintained ( and I assume that's why no one has officially replied

2. The documentation for both /tls and /ssl options does not mirror how libc-client actually works

3. I don't believe it's actually a bug (see below)

Skip to the end if you want to see what I propose as changes...


For background, the below references libc-client source code which is available at the mirror site:

So let’s look at how imap_open uses the /ssl and /tls options. There’s other code that sets some flags based on these options but ultimately we end up here:


if (!(stream->context = SSL_CTX_new (start_tls ?
                                       TLSv1_server_method () :
                                       SSLv23_server_method ())))

Associated function definitions:

The /tls option sets start_tls and hence uses TLSv1 (1.0). This is hardcoded and not possible to change.

The /ssl option uses SSLv23 which is flexible and supports the highest protocol version available. The following context options are set:

SSL_CTX_set_options (stream->context,SSL_OP_ALL);
/* set cipher list */
if (!SSL_CTX_set_cipher_list (stream->context,SSLCIPHERLIST))
      syslog (LOG_ALERT,"Unable to set cipher list %.80s, host=%.80s",
              SSLCIPHERLIST,tcp_clienthost ());

SSL_OP_ALL is a list of bug workarounds for maximum compatibility:

SSLCIPHERLIST is set to allow anything except eNULL and LOW:


In the previous issue issue aurelien dot grimal at tech-tips dot fr commented:

> The problem is only concerning IMAP with StartTLS (port 143) and
> not direct SSL on IMAPS (port 993). So IMAP with StartTLS can't
> use further than TLS1.0, and IMAP on SSL can use TLS1.2.

I've verified that the /tls option on a secure/non-secure port uses TLSv1 while /ssl on secure port uses TLS 1.2


With all this in mind, I propose the following changes:

/tls option:
 * should strictly only be used in combination with insecure ports (STARTTLS will upgrade the connection). If you’re using on a secure port then /ssl is the better option
 * Should advise against use as it will ALWAYS use TLSv1

/ssl option:
 * should be used on implicit secure ports (e.g. 993/995)
* should be clear that the highest available protocol version will be used (SSL or TLS). Note: this could mean an insecure protocol is used e.g. when using outdated openssl


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Feb 26 10:01:28 2021 UTC