From 0cc7f6f1fdbfbda5d0c6583f384d6b87c5b4af1c Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Fri, 21 Feb 2020 17:53:48 +0100
Subject: [PATCH] Turn on TLS peer verification

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 .travis.yml                               |  3 +++
 lib/Account.php                           |  6 +++++
 lib/IMAP/IMAPClientFactory.php            |  6 +++++
 lib/SMTP/SmtpClientFactory.php            |  8 ++++++-
 tests/Unit/SMTP/SmtpClientFactoryTest.php | 27 ++++++++++++++---------
 5 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index c97749388e..c197bdb241 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -82,6 +82,9 @@ before_script:
   - php -f core/occ app:enable mail
   # Enable app twice to check occ errors of registered commands
   - php -f core/occ app:enable mail
+  # Turn off TLS verification here as the test server is not trusted
+  - php -f core/occ config:system:set app.mail.verify-tls-peer --type bool --value false
+
   - cd core/apps/mail
   - sh -c "if [ '$TEST_SUITE' = 'TEST-JS' ]; then npm install -g npm@latest; fi"
   - sh -c "if [ '$TEST_SUITE' = 'TEST-JS' ]; then make dev-setup; fi"
diff --git a/lib/Account.php b/lib/Account.php
index 8ae37a4e72..1cd4d198b4 100644
--- a/lib/Account.php
+++ b/lib/Account.php
@@ -136,6 +136,12 @@ public function getImapConnection() {
 				'port' => $port,
 				'secure' => $ssl_mode,
 				'timeout' => (int) $this->config->getSystemValue('app.mail.imap.timeout', 20),
+				'context' => [
+					'ssl' => [
+						'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+						'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					],
+				],
 			];
 			if ($this->config->getSystemValue('debug', false)) {
 				$params['debug'] = $this->config->getSystemValue('datadirectory') . '/horde_imap.log';
diff --git a/lib/IMAP/IMAPClientFactory.php b/lib/IMAP/IMAPClientFactory.php
index c7c142290e..e89266acab 100644
--- a/lib/IMAP/IMAPClientFactory.php
+++ b/lib/IMAP/IMAPClientFactory.php
@@ -77,6 +77,12 @@ public function getClient(Account $account): Horde_Imap_Client_Socket {
 				'port' => $port,
 				'secure' => $sslMode,
 				'timeout' => (int)$this->config->getSystemValue('app.mail.imap.timeout', 5),
+				'context' => [
+					'ssl' => [
+						'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+						'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					],
+				],
 			];
 			if ($this->cacheFactory->isAvailable()) {
 				$params['cache'] = [
diff --git a/lib/SMTP/SmtpClientFactory.php b/lib/SMTP/SmtpClientFactory.php
index f59fafbfd0..169f713c36 100644
--- a/lib/SMTP/SmtpClientFactory.php
+++ b/lib/SMTP/SmtpClientFactory.php
@@ -76,7 +76,13 @@ public function create(Account $account): Horde_Mail_Transport {
 			'port' => $mailAccount->getOutboundPort(),
 			'username' => $mailAccount->getOutboundUser(),
 			'secure' => $security === 'none' ? false : $security,
-			'timeout' => (int)$this->config->getSystemValue('app.mail.smtp.timeout', 5)
+			'timeout' => (int)$this->config->getSystemValue('app.mail.smtp.timeout', 5),
+			'context' => [
+				'ssl' => [
+					'verify_peer' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+					'verify_peer_name' => $this->config->getSystemValueBool('app.mail.verify-tls-peer', true),
+				],
+			],
 		];
 		if ($this->config->getSystemValue('debug', false)) {
 			$params['debug'] = $this->config->getSystemValue('datadirectory') . '/horde_smtp.log';
diff --git a/tests/Unit/SMTP/SmtpClientFactoryTest.php b/tests/Unit/SMTP/SmtpClientFactoryTest.php
index 51da05a012..d0c14bb1f7 100644
--- a/tests/Unit/SMTP/SmtpClientFactoryTest.php
+++ b/tests/Unit/SMTP/SmtpClientFactoryTest.php
@@ -83,18 +83,17 @@ public function testSmtpTransport() {
 			'smtpPassword' => 'obenc',
 		]);
 		$account = new Account($mailAccount);
-		$this->config->expects($this->at(0))
+		$this->config->expects($this->any())
 			->method('getSystemValue')
-			->with('app.mail.transport', 'smtp')
-			->willReturn('smtp');
-		$this->config->expects($this->at(2))
-			->method('getSystemValue')
-			->with('debug', false)
-			->willReturn(false);
-		$this->config->expects($this->at(1))
-			->method('getSystemValue')
-			->with('app.mail.smtp.timeout', 5)
-			->willReturn(2);
+			->willReturnMap([
+				['app.mail.transport', 'smtp', 'smtp'],
+				['debug', false, false],
+				['app.mail.smtp.timeout', 5, 2],
+			]);
+		$this->config->expects($this->any())
+			->method('getSystemValueBool')
+			->with('app.mail.verify-tls-peer', true)
+			->willReturn(true);
 		$this->crypto->expects($this->once())
 			->method('decrypt')
 			->with('obenc')
@@ -110,6 +109,12 @@ public function testSmtpTransport() {
 			'secure' => false,
 			'timeout' => 2,
 			'localhost' => 'cloud.example.com',
+			'context' => [
+				'ssl' => [
+					'verify_peer' => true,
+					'verify_peer_name' => true,
+				],
+			],
 		]);
 
 		$transport = $this->factory->create($account);