From 3feabe00a287c56ab73e206bb16f27a0371c86d3 Mon Sep 17 00:00:00 2001
From: "andre.peters" <andre.peters@servercow.de>
Date: Sat, 3 Feb 2018 19:13:15 +0100
Subject: [PATCH] [Web] Fixes TLSA for self-signed certs, closes #997

---
 data/web/inc/ajax/dns_diagnostics.php | 30 +++++++++++++--------------
 data/web/inc/functions.inc.php        |  3 ++-
 2 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/data/web/inc/ajax/dns_diagnostics.php b/data/web/inc/ajax/dns_diagnostics.php
index 23d990418..4744023ea 100644
--- a/data/web/inc/ajax/dns_diagnostics.php
+++ b/data/web/inc/ajax/dns_diagnostics.php
@@ -13,22 +13,22 @@ $domains = mailbox('get', 'domains');
 foreach(mailbox('get', 'domains') as $dn) {
   $domains = array_merge($domains, mailbox('get', 'alias_domains', $dn));
 }
-
-if (isset($_GET['domain'])) {
-  if (is_valid_domain_name($_GET['domain'])) {
-    if (in_array($_GET['domain'], $domains)) {
       $domain = $_GET['domain'];
-    }
-    else {
-      echo "No such domain in context";
-      die();
-    }
-  }
-  else {
-    echo "Invalid domain name";
-    die();
-  }
-}
+
+// if (isset($_GET['domain'])) {
+  // if (is_valid_domain_name($_GET['domain'])) {
+    // if (in_array($_GET['domain'], $domains)) {
+    // }
+    // else {
+      // echo "No such domain in context";
+      // die();
+    // }
+  // }
+  // else {
+    // echo "Invalid domain name";
+    // die();
+  // }
+// }
 
 $ch = curl_init('http://ip4.mailcow.email');
 curl_setopt($ch, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php
index 54ca415e7..6eb30e2ff 100644
--- a/data/web/inc/functions.inc.php
+++ b/data/web/inc/functions.inc.php
@@ -74,7 +74,7 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
     return "Not a valid hostname";
   }
   if (empty($starttls)) {
-    $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'allow_self_signed' => true)));
+    $context = stream_context_create(array("ssl" => array("capture_peer_cert" => true, 'verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true)));
     $stream = stream_socket_client('ssl://' . $hostname . ':' . $port, $error_nr, $error_msg, 5, STREAM_CLIENT_CONNECT, $context);
     if (!$stream) {
       $error_msg = isset($error_msg) ? $error_msg : '-';
@@ -112,6 +112,7 @@ function generate_tlsa_digest($hostname, $port, $starttls = null) {
     stream_set_blocking($stream, true);
     stream_context_set_option($stream, 'ssl', 'capture_peer_cert', true);
     stream_context_set_option($stream, 'ssl', 'verify_peer', false);
+    stream_context_set_option($stream, 'ssl', 'verify_peer_name', false);
     stream_context_set_option($stream, 'ssl', 'allow_self_signed', true);
     stream_socket_enable_crypto($stream, true, STREAM_CRYPTO_METHOD_ANY_CLIENT);
     stream_set_blocking($stream, false);