search

nextcloud / user_external

👥 External user authentication methods like IMAP, SMB and FTP
https://apps.nextcloud.com/apps/user_external
107 stars 64 forks source link

IMAP Authentication using TLS on port 993 is broken #163

Closed standardrat closed 3 years ago

standardrat commented 3 years ago

Steps to reproduce

  1. Setup an IMAP server using TLS on port 993
  2. Set up config.php with imap support with TLS 
    'user_backends' => array(
array(
    'class' => 'OC_User_IMAP',
    'arguments' => array(
        'imap.server.co', 993, 'tls', 'server.co', true, false
    ),
),
),
  3. Attempt to log in to nextcloud

Expected behaviour

Log in should complete successfully

Actual behaviour

Login is timing out.

Affected Authentication backend

IMAP using TLS

Server configuration

version 20.0.2 Fresh install

Logs

Nextcloud log (data/nextcloud.log)

Nextcloud log ``` `ERROR: Could not connect to imap server via curl: Operation timed out` ```

Found the problem and fix: https://github.com/nextcloud/user_external/blob/8a4e57bfcddeee51448edb5233d6d58cda7ca68c/lib/imap.php#L88 It only sets the protocol to imaps for ssl, not tls. Changing the line to the following fixes the issue: $protocol = ($this->sslmode === "ssl" || $this->sslmode === "tls") ? "imaps" : "imap";

Seems loosely related to #140

mmccarn commented 3 years ago

I can also login with 'tls' enabled by changing the port from 993 to 143 - although in view of my next comment that may simply mean I'm logging in with no encryption at all...

The current code sets two options for curl when sslmode is 'tls':

if ($this->sslmode === 'tls') {
                        curl_setopt($ch, CURLOPT_USE_SSL, CURLUSESSL_ALL);
                }

I cannot find either of these options in the PHP documentation for curl-setopt

This (non php.net) webpage says that CURLOPT_USE_SSL was added in php7 v7.11: https://curl.se/libcurl/c/CURLOPT_USE_SSL.html (this doesn't do much for me on Ubuntu LTS 18.04.5 LTS running php 7.4...)

The 'debug' logging for user_external should generate a log entry showing the actual connection encryption that was applied...

standardrat commented 3 years ago

Finally got back to look into this more.

I verified in the IMAP server logs that when setting the SSL mode to 'ssl', it still uses TLS 1.3 over SSL. The 'tls' setting seems to only be for STARTTLS connections, which start out unencrypted, over port 143.

It seems I had opened this issue due to a misunderstanding, and am therefore closing it.