From ac87784a113035416e137ffb588d18a5da7650ac Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Fri, 17 Mar 2017 01:21:57 +0700
Subject: [PATCH 1/3] [ticket/13558] Add smtp SSL context configuration options

PHPBB3-13558
---
 phpBB/includes/acp/acp_board.php              |  3 ++
 phpBB/includes/functions_messenger.php        | 11 +++++++
 phpBB/language/en/acp/board.php               |  8 +++++
 .../add_smtp_ssl_context_config_options.php   | 32 +++++++++++++++++++
 4 files changed, 54 insertions(+)
 create mode 100644 phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php

diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php
index c8f6f426c6..b31799ef07 100644
--- a/phpBB/includes/acp/acp_board.php
+++ b/phpBB/includes/acp/acp_board.php
@@ -454,6 +454,9 @@ class acp_board
 						'smtp_auth_method'		=> array('lang' => 'SMTP_AUTH_METHOD',		'validate' => 'string',	'type' => 'select', 'method' => 'mail_auth_select', 'explain' => true),
 						'smtp_username'			=> array('lang' => 'SMTP_USERNAME',			'validate' => 'string',	'type' => 'text:25:255', 'explain' => true),
 						'smtp_password'			=> array('lang' => 'SMTP_PASSWORD',			'validate' => 'string',	'type' => 'password:25:255', 'explain' => true),
+						'ssl_verify_peer'		=> array('lang' => 'SSL_VERIFY_PEER',		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'ssl_verify_peer_name'	=> array('lang' => 'SSL_VERIFY_PEER_NAME',	'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'ssl_allow_self_signed'	=> array('lang' => 'SSL_ALLOW_SELF_SIGNED',	'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
 
 						'legend3'					=> 'ACP_SUBMIT_CHANGES',
 					)
diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php
index f141637fb9..8f9163f85f 100644
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@@ -1467,6 +1467,17 @@ class smtp_class
 
 		if (socket_set_blocking($this->socket, 1))
 		{
+			global $config;
+
+			$options = array();
+			$verify_peer = (bool) $config['ssl_verify_peer'];
+			$verify_peer_name = (bool) $config['ssl_verify_peer_name'];
+			$allow_self_signed = (bool) $config['ssl_allow_self_signed'];
+
+			// Set ssl context options, see http://php.net/manual/en/context.ssl.php
+			$options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed);
+			stream_context_set_option($this->socket, $options);
+
 			$result = stream_socket_enable_crypto($this->socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
 			socket_set_blocking($this->socket, (int) $stream_meta['blocked']);
 		}
diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php
index 8b4db6a061..3c9a1cc050 100644
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@@ -574,6 +574,14 @@ $lang = array_merge($lang, array(
 	'SMTP_SETTINGS'					=> 'SMTP settings',
 	'SMTP_USERNAME'					=> 'SMTP username',
 	'SMTP_USERNAME_EXPLAIN'			=> 'Only enter a username if your SMTP server requires it.',
+
+	'SSL_ALLOW_SELF_SIGNED'			=> 'Allow self-signed certificates',
+	'SSL_ALLOW_SELF_SIGNED_EXPLAIN'	=> 'Allow self-signed certificates for SSL / TLS connections.',
+	'SSL_VERIFY_PEER'				=> 'Verify peer',
+	'SSL_VERIFY_PEER_EXPLAIN'		=> 'Require verification of SSL certificate used.',
+	'SSL_VERIFY_PEER_NAME'			=> 'Verify peer name',
+	'SSL_VERIFY_PEER_NAME_EXPLAIN'	=> 'Require verification of peer name for SSL / TLS connections.',
+
 	'USE_SMTP'						=> 'Use SMTP server for email',
 	'USE_SMTP_EXPLAIN'				=> 'Select “Yes” if you want or have to send email via a named server instead of the local mail function.',
 ));
diff --git a/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php b/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php
new file mode 100644
index 0000000000..9ba91ed754
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php
@@ -0,0 +1,32 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class add_smtp_ssl_context_config_options extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array('\phpbb\db\migration\data\v31x\v3110');
+	}
+
+	public function update_data()
+	{
+		return array(
+			// See http://php.net/manual/en/context.ssl.php
+			array('config.add', array('ssl_verify_peer', 1)),
+			array('config.add', array('ssl_verify_peer_name', 1)),
+			array('config.add', array('ssl_allow_self_signed', 0)),
+		);
+	}
+}

From 2cc9b6a857869a2ece283fc31d35729e13bd0f7f Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Sat, 18 Mar 2017 01:11:32 +0700
Subject: [PATCH 2/3] [ticket/13558] Make SSL context specific options more
 SMTP general

PHPBB3-13558
---
 phpBB/includes/functions_messenger.php | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php
index 8f9163f85f..23a81ae3e8 100644
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@@ -1046,7 +1046,18 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $headers = false)
 	}
 	$collector = new \phpbb\error_collector;
 	$collector->install();
-	$smtp->socket = fsockopen($config['smtp_host'], $config['smtp_port'], $errno, $errstr, 20);
+
+	$options = array();
+	$verify_peer = (bool) $config['ssl_verify_peer'];
+	$verify_peer_name = (bool) $config['ssl_verify_peer_name'];
+	$allow_self_signed = (bool) $config['ssl_allow_self_signed'];
+	$remote_socket = $config['smtp_host'] . ':' . $config['smtp_port'];
+
+	// Set ssl context options, see http://php.net/manual/en/context.ssl.php
+	$options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed);
+	$socket_context = stream_context_create($options);
+
+	$smtp->socket = stream_socket_client($remote_socket, $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $socket_context);
 	$collector->uninstall();
 	$error_contents = $collector->format_errors();
 
@@ -1467,17 +1478,6 @@ class smtp_class
 
 		if (socket_set_blocking($this->socket, 1))
 		{
-			global $config;
-
-			$options = array();
-			$verify_peer = (bool) $config['ssl_verify_peer'];
-			$verify_peer_name = (bool) $config['ssl_verify_peer_name'];
-			$allow_self_signed = (bool) $config['ssl_allow_self_signed'];
-
-			// Set ssl context options, see http://php.net/manual/en/context.ssl.php
-			$options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed);
-			stream_context_set_option($this->socket, $options);
-
 			$result = stream_socket_enable_crypto($this->socket, true, STREAM_CRYPTO_METHOD_TLS_CLIENT);
 			socket_set_blocking($this->socket, (int) $stream_meta['blocked']);
 		}

From 22b86324260dffe4907aac8e6cc9bb848568bcb9 Mon Sep 17 00:00:00 2001
From: rxu <rxu@mail.ru>
Date: Sun, 19 Mar 2017 14:32:53 +0700
Subject: [PATCH 3/3] [ticket/13558] Change options prefix and add settings
 precautions.

PHPBB3-13558
---
 phpBB/includes/acp/acp_board.php                    |  6 +++---
 phpBB/includes/functions_messenger.php              |  6 +++---
 phpBB/language/en/acp/board.php                     | 13 ++++++-------
 .../v31x/add_smtp_ssl_context_config_options.php    |  6 +++---
 4 files changed, 15 insertions(+), 16 deletions(-)

diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php
index b31799ef07..d9e30320af 100644
--- a/phpBB/includes/acp/acp_board.php
+++ b/phpBB/includes/acp/acp_board.php
@@ -454,9 +454,9 @@ class acp_board
 						'smtp_auth_method'		=> array('lang' => 'SMTP_AUTH_METHOD',		'validate' => 'string',	'type' => 'select', 'method' => 'mail_auth_select', 'explain' => true),
 						'smtp_username'			=> array('lang' => 'SMTP_USERNAME',			'validate' => 'string',	'type' => 'text:25:255', 'explain' => true),
 						'smtp_password'			=> array('lang' => 'SMTP_PASSWORD',			'validate' => 'string',	'type' => 'password:25:255', 'explain' => true),
-						'ssl_verify_peer'		=> array('lang' => 'SSL_VERIFY_PEER',		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
-						'ssl_verify_peer_name'	=> array('lang' => 'SSL_VERIFY_PEER_NAME',	'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
-						'ssl_allow_self_signed'	=> array('lang' => 'SSL_ALLOW_SELF_SIGNED',	'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'smtp_verify_peer'		=> array('lang' => 'SMTP_VERIFY_PEER',		'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'smtp_verify_peer_name'	=> array('lang' => 'SMTP_VERIFY_PEER_NAME',	'validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
+						'smtp_allow_self_signed'=> array('lang' => 'SMTP_ALLOW_SELF_SIGNED','validate' => 'bool',	'type' => 'radio:yes_no', 'explain' => true),
 
 						'legend3'					=> 'ACP_SUBMIT_CHANGES',
 					)
diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php
index 23a81ae3e8..a6e4cb0679 100644
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@@ -1048,9 +1048,9 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $headers = false)
 	$collector->install();
 
 	$options = array();
-	$verify_peer = (bool) $config['ssl_verify_peer'];
-	$verify_peer_name = (bool) $config['ssl_verify_peer_name'];
-	$allow_self_signed = (bool) $config['ssl_allow_self_signed'];
+	$verify_peer = (bool) $config['smtp_verify_peer'];
+	$verify_peer_name = (bool) $config['smtp_verify_peer_name'];
+	$allow_self_signed = (bool) $config['smtp_allow_self_signed'];
 	$remote_socket = $config['smtp_host'] . ':' . $config['smtp_port'];
 
 	// Set ssl context options, see http://php.net/manual/en/context.ssl.php
diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php
index 3c9a1cc050..8b5e113b16 100644
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@@ -558,6 +558,8 @@ $lang = array_merge($lang, array(
 	'EMAIL_SIG_EXPLAIN'				=> 'This text will be attached to all emails the board sends.',
 	'ENABLE_EMAIL'					=> 'Enable board-wide emails',
 	'ENABLE_EMAIL_EXPLAIN'			=> 'If this is set to disabled no emails will be sent by the board at all. <em>Note the user and admin account activation settings require this setting to be enabled. If currently using “user” or “admin” activation in the activation settings, disabling this setting will disable registration.</em>',
+	'SMTP_ALLOW_SELF_SIGNED'		=> 'Allow self-signed SSL certificates',
+	'SMTP_ALLOW_SELF_SIGNED_EXPLAIN'=> 'Allow connections to SMTP server with self-signed SSL certificate.<em><strong>Warning:</strong> Allowing self-signed SSL certificates may cause security implications.</em>',
 	'SMTP_AUTH_METHOD'				=> 'Authentication method for SMTP',
 	'SMTP_AUTH_METHOD_EXPLAIN'		=> 'Only used if a username/password is set, ask your provider if you are unsure which method to use.',
 	'SMTP_CRAM_MD5'					=> 'CRAM-MD5',
@@ -574,13 +576,10 @@ $lang = array_merge($lang, array(
 	'SMTP_SETTINGS'					=> 'SMTP settings',
 	'SMTP_USERNAME'					=> 'SMTP username',
 	'SMTP_USERNAME_EXPLAIN'			=> 'Only enter a username if your SMTP server requires it.',
-
-	'SSL_ALLOW_SELF_SIGNED'			=> 'Allow self-signed certificates',
-	'SSL_ALLOW_SELF_SIGNED_EXPLAIN'	=> 'Allow self-signed certificates for SSL / TLS connections.',
-	'SSL_VERIFY_PEER'				=> 'Verify peer',
-	'SSL_VERIFY_PEER_EXPLAIN'		=> 'Require verification of SSL certificate used.',
-	'SSL_VERIFY_PEER_NAME'			=> 'Verify peer name',
-	'SSL_VERIFY_PEER_NAME_EXPLAIN'	=> 'Require verification of peer name for SSL / TLS connections.',
+	'SMTP_VERIFY_PEER'				=> 'Verify SSL certificate',
+	'SMTP_VERIFY_PEER_EXPLAIN'		=> 'Require verification of SSL certificate used by SMTP server.<em><strong>Warning:</strong> Connecting peers with unverified SSL certificates may cause security implications.</em>',
+	'SMTP_VERIFY_PEER_NAME'			=> 'Verify SMTP peer name',
+	'SMTP_VERIFY_PEER_NAME_EXPLAIN'	=> 'Require verification of peer name for SMTP servers using SSL / TLS connections.<em><strong>Warning:</strong> Connecting to unverified peers may cause security implications.</em>',
 
 	'USE_SMTP'						=> 'Use SMTP server for email',
 	'USE_SMTP_EXPLAIN'				=> 'Select “Yes” if you want or have to send email via a named server instead of the local mail function.',
diff --git a/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php b/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php
index 9ba91ed754..92051dc3ca 100644
--- a/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php
+++ b/phpBB/phpbb/db/migration/data/v31x/add_smtp_ssl_context_config_options.php
@@ -24,9 +24,9 @@ class add_smtp_ssl_context_config_options extends \phpbb\db\migration\migration
 	{
 		return array(
 			// See http://php.net/manual/en/context.ssl.php
-			array('config.add', array('ssl_verify_peer', 1)),
-			array('config.add', array('ssl_verify_peer_name', 1)),
-			array('config.add', array('ssl_allow_self_signed', 0)),
+			array('config.add', array('smtp_verify_peer', 1)),
+			array('config.add', array('smtp_verify_peer_name', 1)),
+			array('config.add', array('smtp_allow_self_signed', 0)),
 		);
 	}
 }