Merge pull request #2782 from nextcloud/fix/tls-peer-verification

Add TLS host verification

.travis.yml

@@ -82,6 +82,9 @@ before_script:
   - php -f core/occ app:enable mail
   # Enable app twice to check occ errors of registered commands
   - php -f core/occ app:enable mail
+  # Turn off TLS verification here as the test server is not trusted
+  - php -f core/occ config:system:set app.mail.verify-tls-peer --type bool --value false
+
   - cd core/apps/mail
   - sh -c "if [ '$TEST_SUITE' = 'TEST-JS' ]; then npm install -g npm@latest; fi"
   - sh -c "if [ '$TEST_SUITE' = 'TEST-JS' ]; then make dev-setup; fi"

lib/Account.php

@@ -136,6 +136,12 @@ public function getImapConnection() {
 				'port' => $port,
 				'secure' => $ssl_mode,
 				'timeout' => (int) $this->config->getSystemValue('app.mail.imap.timeout', 20),
+				'context' => [
+					'ssl' => [
+						'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+						'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					],
+				],
 			];
 			if ($this->config->getSystemValue('debug', false)) {
 				$params['debug'] = $this->config->getSystemValue('datadirectory') . '/horde_imap.log';

lib/IMAP/IMAPClientFactory.php

@@ -77,6 +77,12 @@ public function getClient(Account $account): Horde_Imap_Client_Socket {
 				'port' => $port,
 				'secure' => $sslMode,
 				'timeout' => (int)$this->config->getSystemValue('app.mail.imap.timeout', 5),
+				'context' => [
+					'ssl' => [
+						'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+						'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					],
+				],
 			];
 			if ($this->cacheFactory->isAvailable()) {
 				$params['cache'] = [

lib/SMTP/SmtpClientFactory.php

@@ -76,7 +76,13 @@ public function create(Account $account): Horde_Mail_Transport {
 			'port' => $mailAccount->getOutboundPort(),
 			'username' => $mailAccount->getOutboundUser(),
 			'secure' => $security === 'none' ? false : $security,
-			'timeout' => (int)$this->config->getSystemValue('app.mail.smtp.timeout', 5)
+			'timeout' => (int)$this->config->getSystemValue('app.mail.smtp.timeout', 5),
+			'context' => [
+				'ssl' => [
+					'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+				],
+			],
 		];
 		if ($this->config->getSystemValue('debug', false)) {
 			$params['debug'] = $this->config->getSystemValue('datadirectory') . '/horde_smtp.log';

tests/Unit/SMTP/SmtpClientFactoryTest.php

@@ -83,18 +83,17 @@ public function testSmtpTransport() {
 			'smtpPassword' => 'obenc',
 		]);
 		$account = new Account($mailAccount);
-		$this->config->expects($this->at(0))
+		$this->config->expects($this->any())
 			->method('getSystemValue')
-			->with('app.mail.transport', 'smtp')
-			->willReturn('smtp');
-		$this->config->expects($this->at(2))
-			->method('getSystemValue')
-			->with('debug', false)
-			->willReturn(false);
-		$this->config->expects($this->at(1))
-			->method('getSystemValue')
-			->with('app.mail.smtp.timeout', 5)
-			->willReturn(2);
+			->willReturnMap([
+				['app.mail.transport', 'smtp', 'smtp'],
+				['debug', false, false],
+				['app.mail.smtp.timeout', 5, 2],
+			]);
+		$this->config->expects($this->any())
+			->method('getSystemValueBool')
+			->with('app.mail.verify-tls-peer', true)
+			->willReturn(true);
 		$this->crypto->expects($this->once())
 			->method('decrypt')
 			->with('obenc')
@@ -110,6 +109,12 @@ public function testSmtpTransport() {
 			'secure' => false,
 			'timeout' => 2,
 			'localhost' => 'cloud.example.com',
+			'context' => [
+				'ssl' => [
+					'verify_peer' => true,
+					'verify_peer_name' => true,
+				],
+			],
 		]);
 
 		$transport = $this->factory->create($account);