Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.0

Bug #21117 Mitigate STRIPTLS Attack Vector
Submitted: 2016-09-15 00:42 UTC
From: noyb Assigned:
Status: Open Package: Mail (version 1.3.0)
PHP Version: 5.6.25 OS: FreeBSD 11.0-RC2
Roadmaps: (Not assigned)    
Subscription  


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 40 - 9 = ?

 
 [2016-09-15 00:42 UTC] noyb (Noyb Noyb)
Description: ------------ Please add option to specify that TLS is required so that if the server does not support STARTTLS mail client will not continue with an unsecure connection. Opportunistic TLS aka STARTTLS Weaknesses and Mitigations https://en.wikipedia.org/wiki/Opportunistic_TLS#Weaknesses_and_mitigations "STRIPTLS attacks can be blocked by configuring SMTP clients to require TLS for outgoing connections (for example, the Exim Message transfer agent can require TLS via the directive "hosts_require_tls" [12])." I've done this crudely with a few modifications to the Mail_smtp and Net_smtp classes. But I'm sure someone who knows PEAR::Mail inside and out can do it much better. Basically what I did was to add a 'require_tls' var to the Mail_smtp and Net_smtp classes. And defaulted it to true. Then added a test for 'require_tls' in the auth function. /* Or if TLS is required and aren't already connected over a secure * (SSL) socket connection. */ if (($tls && version_compare(PHP_VERSION, '5.1.0', '>=') && extension_loaded('openssl') && isset($this->esmtp['STARTTLS']) && strncasecmp($this->host, 'ssl://', 6) !== 0 ) || $this->require_tls && strncasecmp($this->host, 'ssl://', 6) !== 0 ) { /* Start the TLS connection attempt. */ Thanks

Comments

 [2016-09-15 06:29 UTC] noyb (Noyb Noyb)
 [2017-02-09 04:06 UTC] noyb (Noyb Noyb)
-Type: Feature/Change Request +Type: Bug
 [2017-04-11 17:02 UTC] ashnazg (Chuck Burgess)
-Type: Bug +Type: Feature/Change Request
 [2017-05-09 18:59 UTC] noyb (Noyb Noyb)
-Type: Feature/Change Request +Type: Bug
Vulnerability to STRIP TLS Attack is a security bug. Not a feature/change request.