Peer certificate not verified with IMAP-STARTTLS?

[ccpp]

Can you explain why you do not per default validate the IMAP peer certificate in STARTTLS mode?
To me this looks like a bad practice solution to SSL errors (as they are often found as "accepted answers" on stack overflow or similar.)

direct_mail/Resources/Private/Php/Fetch/src/Fetch/Server.php

Line 134 in 99858ef

$this->setFlag('novalidate-cert');

[kartolo]

the Fetch library is coming from tedious/Fetch and is used as it is. See: https://github.com/tedious/Fetch/blob/master/src/Fetch/Server.php#L134

Do you see the necessity for the user to set the flag manually? See IMAP Flag.

[ccpp]

Hi,
thank you for the hint, I did not see you are using hat library, see the upstream issue tedious/Fetch#218.

No, I do not see necessity for setting it manually, but I'd go a step ahead and re-set the validate-cert flag without question.
Then, for the case that connection establishment fails due to certificate validation, direct_mail should recommend adding peer (issuer) certificate for validation. That would be the way to solve these security issues without decreasing security.

[responseinformationsdesign]

I think there should be a possibility to set such flags (/ssl/novalidate-cert f. e.) in the planner task.

[ccpp]

@responseinformationsdesign that would be OK, but only when there is a note that this is highly insecure, and that there are better solutions to such issues, e.g. updating ca certificates on OS level. And, by default that flag should be off