SSLv3 used to send e-mail and PHP 7.3 EOL

Hello Developers @passbolt

I don’t want to sound rough, but some things are not right with your software at this stage.

I just bought a licence of passbolt and was very surprised to find that you have an outdated SMTP library embedded in the default install of your software.
I used the default image provided for VMWare and migrated it to Proxmox (qcow3), after other bugs restrained me from installing the soft properly on Debian.

You are using SSL V3 which has known flaws and which is normally rejected by our mail server.

May 31 12:05:01 dynmail postfix/submission/smtpd[25068]: SSL_accept error from unknown[192.168.99.247]: -1
May 31 12:05:01 dynmail postfix/submission/smtpd[25068]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 48:

I had to lower the authorised protocol to allow e-mail to be received by my mail server.

Furthermore Passbolt is based on PHP7.3 which is EOL and only accepts security upgrade.
https://endoflife.software/programming-languages/server-side-scripting/php

I am not certain that your product can be used in a serious production environment if there is no URGENT patching applied.

Can you please confirm your plan to solve these major issues.

Sincerely yours.
greg

1 Like

Hi @gregober,

Security is a very important part of what we do at passbolt. Passbolt has undergone several security audits, and another one for the server component is scheduled end of June.

Please note that spreading FUD (fear uncertainty and doubt), is not allowed on this forum. Of course you can raise your concerns, ask questions, but refrain from saying things “can [not] be used in a serious production environment” or “URGENT patching” in all caps. Please read our code of conduct: https://www.passbolt.com/code_of_conduct

Passbolt supports PHP7.3 because it is the default on Debian 10, which is officially supported by the debian security team. On Ubuntu 20 LTS the PHP version available is 7.4. Bottom line is you can run passbolt on the server of your choice with the PHP version that best meet your security requirements.

Additionally it is possible to use TLS when sending emails. You will need to set EMAIL_TRANSPORT_DEFAULT_TLS to true and set the port for example to EMAIL_TRANSPORT_DEFAULT_PORT to 587, if you use environment variables, or for example using the configuration in config/passbolt.php:

        'default' => [
            'host' => 'smtp.yourdomain.com',
            'port' => 587,
            'username' => 'test@passbolt.com',
            'password' => '',
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],

Ok - thanks for your reply, but I did get the fact that TLS could be set in the config file.

My config looks like that :

'EmailTransport' => [
    'default' => [
        'host' => 'my-domain.local',
        'port' => 587,
        'username' => 'firewall@xxx.com',
        'password' => 'our_passwd',
        // Is this a secure connection? true if yes, null if no.
        'tls' => true,
        'timeout' => 30,
        //'client' => null,
        //'url' => null,
    ],
],

Nonetheless and afaict passbolt tries to connect using SSLv3:

May 31 13:28:01 dynmail postfix/submission/smtpd[26847]: connect from unknown[192.168.99.247]
May 31 13:28:01 dynmail postfix/submission/smtpd[26847]: SSL_accept error from unknown[192.168.99.247]: -1
May 31 13:28:01 dynmail postfix/submission/smtpd[26847]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:…/ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
May 31 13:28:01 dynmail postfix/submission/smtpd[26847]: lost connection after STARTTLS from unknown[192.168.99.247]
May 31 13:28:01 dynmail postfix/submission/smtpd[26847]: disconnect from unknown[192.168.99.247] ehlo=1 starttls=0/1 commands=1/2

It looks to me that it is connecting in TLS but that the CA is not accepted. Most likely you are using a self-signed certificate and that CA is not accepted by passbolt server.