IMAPS and IMAP w/ STARTTLS: Different TLS versions

[basbebe]

When I use port 993 and SSL in my IMAP settings, TLSv1.2 is being used. When I use port 143 and STARTTLS, TLSv1 and a weaker cypher is being used. I don't know if this is a Z-Push or a PHP behavior.

[fmbiete]

I would say is a PHP behaviour.

Remember that when using 143 and STARTTLS you are connecting with a plain channel and upgrading after that.

Let's say that IMAP support: TLSv1, TLSv1.1 and TLSv1.2

When using STARTTLS your client uses the first protocol matching those offered by your server (IMAP client: I'll use the first) When using SSL your client negotiates the strongest protocol matching those offered by your server (IMAP client: I'll use your strongest; TLSv1.2)

So, I would recommend always to use SSL, and use STARTTLS if SSL is not possible. But both are ok, if your IMAP/SMTP server have disables SSLv2 and SSLv3.

[basbebe]

but this

openssl s_client -starttls imap -connect 10.0.0.3:143

gives me this

Protocol  : TLSv1.2
Cipher    : DHE-RSA-CAMELLIA256-SHA256

Which is what I would want. The same is shown when I connect to SMTP with STARTTLS.

But Z-Push / PHP chooses something else for whatever reason.

Maybe this could be set in Z-Push in the future? STREAM_CRYPTO_METHOD_TLS_CLIENT http://docs.php.net/manual/en/migration56.openssl.php#migration56.openssl.crypto-method

[basbebe]

Also see http://stackoverflow.com/questions/35148406/imap-via-php-ssl-and-tls-choose-different-tls-version

[fmbiete]

Try putting "tls://" before your hostname in IMAP_SERVER that should force PHP lib to choose TLS.

[basbebe]

I know that TLS is already in use – it's just weird that STARTTLS on port 143 and regular TLS on port 993 use different TLS versions. They shouldn't. This applies to SMTP as well I don't know if this is a behavior of Z-Push or PHP, though.

[TBK]

If you like me during your search stumble upon this issue. The problem is related to the underlying lib (uw-imap/libc-client). Read more about it at https://bugs.php.net/bug.php?id=76928