From 32f3ddca7061c7584508dd09e4b1226b8aae1aca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rub=C3=A9n=20Calvo?= Date: Thu, 30 Mar 2017 08:33:04 +0200 Subject: [PATCH] [ticket/15150] Add Jabber SSL context configuration options PHPBB3-15150 --- phpBB/adm/style/acp_jabber.html | 15 ++++++++ phpBB/includes/acp/acp_jabber.php | 25 ++++++++---- phpBB/includes/functions_jabber.php | 33 +++++++++++++--- phpBB/includes/functions_messenger.php | 4 +- phpBB/language/en/acp/board.php | 38 +++++++++++-------- .../add_jabber_ssl_context_config_options.php | 32 ++++++++++++++++ 6 files changed, 116 insertions(+), 31 deletions(-) create mode 100644 phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php diff --git a/phpBB/adm/style/acp_jabber.html b/phpBB/adm/style/acp_jabber.html index 3c3b895624..8e3412c94a 100644 --- a/phpBB/adm/style/acp_jabber.html +++ b/phpBB/adm/style/acp_jabber.html @@ -47,6 +47,21 @@
+
+

{L_JAB_VERIFY_PEER_EXPLAIN}
+
+
+
+
+

{L_JAB_VERIFY_PEER_NAME_EXPLAIN}
+
+
+
+
+

{L_JAB_ALLOW_SELF_SIGNED_EXPLAIN}
+
+
+

{L_JAB_PACKAGE_SIZE_EXPLAIN}
diff --git a/phpBB/includes/acp/acp_jabber.php b/phpBB/includes/acp/acp_jabber.php index a482b41e1d..3b958c0ea1 100644 --- a/phpBB/includes/acp/acp_jabber.php +++ b/phpBB/includes/acp/acp_jabber.php @@ -50,13 +50,16 @@ class acp_jabber $this->tpl_name = 'acp_jabber'; $this->page_title = 'ACP_JABBER_SETTINGS'; - $jab_enable = request_var('jab_enable', (bool) $config['jab_enable']); - $jab_host = request_var('jab_host', (string) $config['jab_host']); - $jab_port = request_var('jab_port', (int) $config['jab_port']); - $jab_username = request_var('jab_username', (string) $config['jab_username']); - $jab_password = request_var('jab_password', (string) $config['jab_password']); - $jab_package_size = request_var('jab_package_size', (int) $config['jab_package_size']); - $jab_use_ssl = request_var('jab_use_ssl', (bool) $config['jab_use_ssl']); + $jab_enable = request_var('jab_enable', (bool) $config['jab_enable']); + $jab_host = request_var('jab_host', (string) $config['jab_host']); + $jab_port = request_var('jab_port', (int) $config['jab_port']); + $jab_username = request_var('jab_username', (string) $config['jab_username']); + $jab_password = request_var('jab_password', (string) $config['jab_password']); + $jab_package_size = request_var('jab_package_size', (int) $config['jab_package_size']); + $jab_use_ssl = request_var('jab_use_ssl', (bool) $config['jab_use_ssl']); + $jab_verify_peer = request_var('jab_verify_peer', (bool) $config['jab_verify_peer']); + $jab_verify_peer_name = request_var('jab_verify_peer_name', (bool) $config['jab_verify_peer_name']); + $jab_allow_self_signed = request_var('jab_allow_self_signed', (bool) $config['jab_allow_self_signed']); $form_name = 'acp_jabber'; add_form_key($form_name); @@ -76,7 +79,7 @@ class acp_jabber // Is this feature enabled? Then try to establish a connection if ($jab_enable) { - $jabber = new jabber($jab_host, $jab_port, $jab_username, $jab_password, $jab_use_ssl); + $jabber = new jabber($jab_host, $jab_port, $jab_username, $jab_password, $jab_use_ssl, $jab_verify_peer, $jab_verify_peer_name, $jab_allow_self_signed); if (!$jabber->connect()) { @@ -116,6 +119,9 @@ class acp_jabber } set_config('jab_package_size', $jab_package_size); set_config('jab_use_ssl', $jab_use_ssl); + set_config('jab_verify_peer', $jab_verify_peer); + set_config('jab_verify_peer_name', $jab_verify_peer_name); + set_config('jab_allow_self_signed', $jab_allow_self_signed); add_log('admin', 'LOG_' . $log); trigger_error($message . adm_back_link($this->u_action)); @@ -131,6 +137,9 @@ class acp_jabber 'JAB_PASSWORD' => $jab_password !== '' ? '********' : '', 'JAB_PACKAGE_SIZE' => $jab_package_size, 'JAB_USE_SSL' => $jab_use_ssl, + 'JAB_VERIFY_PEER' => $jab_verify_peer, + 'JAB_VERIFY_PEER_NAME' => $jab_verify_peer_name, + 'JAB_ALLOW_SELF_SIGNED' => $jab_allow_self_signed, 'S_CAN_USE_SSL' => jabber::can_use_ssl(), 'S_GTALK_NOTE' => (!@function_exists('dns_get_record')) ? true : false, )); diff --git a/phpBB/includes/functions_jabber.php b/phpBB/includes/functions_jabber.php index bd2e9e93ac..a4fbc90d57 100644 --- a/phpBB/includes/functions_jabber.php +++ b/phpBB/includes/functions_jabber.php @@ -41,6 +41,9 @@ class jabber var $username; var $password; var $use_ssl; + var $verify_peer; + var $verify_peer_name; + var $allow_self_signed; var $resource = 'functions_jabber.phpbb.php'; var $enable_logging; @@ -50,7 +53,7 @@ class jabber /** */ - function jabber($server, $port, $username, $password, $use_ssl = false) + function jabber($server, $port, $username, $password, $use_ssl = false, $verify_peer = true, $verify_peer_name = true, $allow_self_signed = false) { $this->connect_server = ($server) ? $server : 'localhost'; $this->port = ($port) ? $port : 5222; @@ -71,6 +74,9 @@ class jabber $this->password = $password; $this->use_ssl = ($use_ssl && self::can_use_ssl()) ? true : false; + $this->verify_peer = $verify_peer; + $this->verify_peer_name = $verify_peer_name; + $this->allow_self_signed = $allow_self_signed; // Change port if we use SSL if ($this->port == 5222 && $this->use_ssl) @@ -139,7 +145,7 @@ class jabber $this->session['ssl'] = $this->use_ssl; - if ($this->open_socket($this->connect_server, $this->port, $this->use_ssl)) + if ($this->open_socket($this->connect_server, $this->port, $this->use_ssl, $this->verify_peer, $this->verify_peer_name, $this->allow_self_signed)) { $this->send("\n"); $this->send("\n"); @@ -227,10 +233,13 @@ class jabber * @param string $server host to connect to * @param int $port port number * @param bool $use_ssl use ssl or not + * @param bool $verify_peer verify ssl certificate + * @param bool $verify_peer_name verify peer name + * @param bool $allow_self_signed allow self-signed ssl certificates * @access public * @return bool */ - function open_socket($server, $port, $use_ssl = false) + function open_socket($server, $port, $use_ssl = false, $verify_peer = true, $verify_peer_name = true, $allow_self_signed = false) { if (@function_exists('dns_get_record')) { @@ -241,9 +250,23 @@ class jabber } } - $server = $use_ssl ? 'ssl://' . $server : $server; + $options = array(); - if ($this->connection = @fsockopen($server, $port, $errorno, $errorstr, $this->timeout)) + if ($use_ssl) + { + $remote_socket = 'ssl://' . $server . ':' . $port; + + // Set ssl context options, see http://php.net/manual/en/context.ssl.php + $options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed); + } + else + { + $remote_socket = $server . ':' . $port; + } + + $socket_context = stream_context_create($options); + + if ($this->connection = stream_socket_client($remote_socket, $errorno, $errorstr, $this->timeout, STREAM_CLIENT_CONNECT, $socket_context)) { socket_set_blocking($this->connection, 0); socket_set_timeout($this->connection, 60); diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php index a6e4cb0679..799b687493 100644 --- a/phpBB/includes/functions_messenger.php +++ b/phpBB/includes/functions_messenger.php @@ -625,7 +625,7 @@ class messenger if (!$use_queue) { include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx); - $this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl']); + $this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']); if (!$this->jabber->connect()) { @@ -800,7 +800,7 @@ class queue } include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx); - $this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl']); + $this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']); if (!$this->jabber->connect()) { diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php index 8b5e113b16..0cf0371889 100644 --- a/phpBB/language/en/acp/board.php +++ b/phpBB/language/en/acp/board.php @@ -589,20 +589,26 @@ $lang = array_merge($lang, array( $lang = array_merge($lang, array( 'ACP_JABBER_SETTINGS_EXPLAIN' => 'Here you can enable and control the use of Jabber for instant messaging and board notifications. Jabber is an open source protocol and therefore available for use by anyone. Some Jabber servers include gateways or transports which allow you to contact users on other networks. Not all servers offer all transports and changes in protocols can prevent transports from operating. Please be sure to enter already registered account details - phpBB will use the details you enter here as is.', - 'JAB_ENABLE' => 'Enable Jabber', - 'JAB_ENABLE_EXPLAIN' => 'Enables use of Jabber messaging and notifications.', - 'JAB_GTALK_NOTE' => 'Please note that GTalk will not work because the dns_get_record function could not be found. This function is not available in PHP4, and is not implemented on Windows platforms. It currently does not work on BSD-based systems, including Mac OS.', - 'JAB_PACKAGE_SIZE' => 'Jabber package size', - 'JAB_PACKAGE_SIZE_EXPLAIN' => 'This is the number of messages sent in one package. If set to 0 the message is sent immediately and will not be queued for later sending.', - 'JAB_PASSWORD' => 'Jabber password', - 'JAB_PASSWORD_EXPLAIN' => 'Warning: This password will be stored as plain text in the database, visible to everybody who can access your database or who can view this configuration page.', - 'JAB_PORT' => 'Jabber port', - 'JAB_PORT_EXPLAIN' => 'Leave blank unless you know it is not port 5222.', - 'JAB_SERVER' => 'Jabber server', - 'JAB_SERVER_EXPLAIN' => 'See %sjabber.org%s for a list of servers.', - 'JAB_SETTINGS_CHANGED' => 'Jabber settings changed successfully.', - 'JAB_USE_SSL' => 'Use SSL to connect', - 'JAB_USE_SSL_EXPLAIN' => 'If enabled a secure connection is tried to be established. The Jabber port will be modified to 5223 if port 5222 is specified.', - 'JAB_USERNAME' => 'Jabber username or JID', - 'JAB_USERNAME_EXPLAIN' => 'Specify a registered username or a valid JID. The username will not be checked for validity. If you only specify a username, then your JID will be the username and the server you specified above. Else, specify a valid JID, for example user@jabber.org.', + 'JAB_ALLOW_SELF_SIGNED' => 'Allow self-signed SSL certificates', + 'JAB_ALLOW_SELF_SIGNED_EXPLAIN' => 'Allow connections to Jabber server with self-signed SSL certificate.Warning: Allowing self-signed SSL certificates may cause security implications.', + 'JAB_ENABLE' => 'Enable Jabber', + 'JAB_ENABLE_EXPLAIN' => 'Enables use of Jabber messaging and notifications.', + 'JAB_GTALK_NOTE' => 'Please note that GTalk will not work because the dns_get_record function could not be found. This function is not available in PHP4, and is not implemented on Windows platforms. It currently does not work on BSD-based systems, including Mac OS.', + 'JAB_PACKAGE_SIZE' => 'Jabber package size', + 'JAB_PACKAGE_SIZE_EXPLAIN' => 'This is the number of messages sent in one package. If set to 0 the message is sent immediately and will not be queued for later sending.', + 'JAB_PASSWORD' => 'Jabber password', + 'JAB_PASSWORD_EXPLAIN' => 'Warning: This password will be stored as plain text in the database, visible to everybody who can access your database or who can view this configuration page.', + 'JAB_PORT' => 'Jabber port', + 'JAB_PORT_EXPLAIN' => 'Leave blank unless you know it is not port 5222.', + 'JAB_SERVER' => 'Jabber server', + 'JAB_SERVER_EXPLAIN' => 'See %sjabber.org%s for a list of servers.', + 'JAB_SETTINGS_CHANGED' => 'Jabber settings changed successfully.', + 'JAB_USE_SSL' => 'Use SSL to connect', + 'JAB_USE_SSL_EXPLAIN' => 'If enabled a secure connection is tried to be established. The Jabber port will be modified to 5223 if port 5222 is specified.', + 'JAB_USERNAME' => 'Jabber username or JID', + 'JAB_USERNAME_EXPLAIN' => 'Specify a registered username or a valid JID. The username will not be checked for validity. If you only specify a username, then your JID will be the username and the server you specified above. Else, specify a valid JID, for example user@jabber.org.', + 'JAB_VERIFY_PEER' => 'Verify SSL certificate', + 'JAB_VERIFY_PEER_EXPLAIN' => 'Require verification of SSL certificate used by Jabber server.Warning: Connecting peers with unverified SSL certificates may cause security implications.', + 'JAB_VERIFY_PEER_NAME' => 'Verify Jabber peer name', + 'JAB_VERIFY_PEER_NAME_EXPLAIN' => 'Require verification of peer name for Jabber servers using SSL / TLS connections.Warning: Connecting to unverified peers may cause security implications.', )); diff --git a/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php b/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php new file mode 100644 index 0000000000..9f416fe069 --- /dev/null +++ b/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php @@ -0,0 +1,32 @@ + +* @license GNU General Public License, version 2 (GPL-2.0) +* +* For full copyright and license information, please see +* the docs/CREDITS.txt file. +* +*/ + +namespace phpbb\db\migration\data\v31x; + +class add_jabber_ssl_context_config_options extends \phpbb\db\migration\migration +{ + static public function depends_on() + { + return array('\phpbb\db\migration\data\v31x\v3110'); + } + + public function update_data() + { + return array( + // See http://php.net/manual/en/context.ssl.php + array('config.add', array('jab_verify_peer', 1)), + array('config.add', array('jab_verify_peer_name', 1)), + array('config.add', array('jab_allow_self_signed', 0)), + ); + } +}