6 files changed, 132 insertions, 37 deletions
diff --git a/phpBB/adm/style/acp_jabber.html b/phpBB/adm/style/acp_jabber.html
index 3c3b895624..e76c9a0323 100644
--- a/phpBB/adm/style/acp_jabber.html
+++ b/phpBB/adm/style/acp_jabber.html
@@ -47,6 +47,21 @@
 	<dd><label><input type="radio" class="radio" id="jab_use_ssl" name="jab_use_ssl" value="1"<!-- IF JAB_USE_SSL --> checked="checked"<!-- ENDIF --> /> {L_YES}</label>
 		<label><input type="radio" class="radio" name="jab_use_ssl" value="0"<!-- IF not JAB_USE_SSL --> checked="checked"<!-- ENDIF --> /> {L_NO}</label></dd>
 </dl>
+<dl>
+	<dt><label for="jab_verify_peer">{L_JAB_VERIFY_PEER}{L_COLON}</label><br /><span>{L_JAB_VERIFY_PEER_EXPLAIN}</span></dt>
+	<dd><label><input type="radio" class="radio" id="jab_verify_peer" name="jab_verify_peer" value="1"<!-- IF JAB_VERIFY_PEER --> checked="checked"<!-- ENDIF --> /> {L_YES}</label>
+		<label><input type="radio" class="radio" name="jab_verify_peer" value="0"<!-- IF not JAB_VERIFY_PEER --> checked="checked"<!-- ENDIF --> /> {L_NO}</label></dd>
+</dl>
+<dl>
+	<dt><label for="jab_verify_peer_name">{L_JAB_VERIFY_PEER_NAME}{L_COLON}</label><br /><span>{L_JAB_VERIFY_PEER_NAME_EXPLAIN}</span></dt>
+	<dd><label><input type="radio" class="radio" id="jab_verify_peer_name" name="jab_verify_peer_name" value="1"<!-- IF JAB_VERIFY_PEER_NAME --> checked="checked"<!-- ENDIF --> /> {L_YES}</label>
+		<label><input type="radio" class="radio" name="jab_verify_peer_name" value="0"<!-- IF not JAB_VERIFY_PEER_NAME --> checked="checked"<!-- ENDIF --> /> {L_NO}</label></dd>
+</dl>
+<dl>
+	<dt><label for="jab_allow_self_signed">{L_JAB_ALLOW_SELF_SIGNED}{L_COLON}</label><br /><span>{L_JAB_ALLOW_SELF_SIGNED_EXPLAIN}</span></dt>
+	<dd><label><input type="radio" class="radio" id="jab_allow_self_signed" name="jab_allow_self_signed" value="1"<!-- IF JAB_ALLOW_SELF_SIGNED --> checked="checked"<!-- ENDIF --> /> {L_YES}</label>
+		<label><input type="radio" class="radio" name="jab_allow_self_signed" value="0"<!-- IF not JAB_ALLOW_SELF_SIGNED --> checked="checked"<!-- ENDIF --> /> {L_NO}</label></dd>
+</dl>
 <!-- ENDIF -->
 <dl>
 	<dt><label for="jab_package_size">{L_JAB_PACKAGE_SIZE}{L_COLON}</label><br /><span>{L_JAB_PACKAGE_SIZE_EXPLAIN}</span></dt>
diff --git a/phpBB/includes/acp/acp_jabber.php b/phpBB/includes/acp/acp_jabber.php
index 5dec6bb7d4..07f5dadbff 100644
--- a/phpBB/includes/acp/acp_jabber.php
+++ b/phpBB/includes/acp/acp_jabber.php
@@ -49,13 +49,16 @@ class acp_jabber
 		$this->tpl_name = 'acp_jabber';
 		$this->page_title = 'ACP_JABBER_SETTINGS';
 
-		$jab_enable			= $request->variable('jab_enable',			(bool) $config['jab_enable']);
-		$jab_host			= $request->variable('jab_host',			(string) $config['jab_host']);
-		$jab_port			= $request->variable('jab_port',			(int) $config['jab_port']);
-		$jab_username		= $request->variable('jab_username',		(string) $config['jab_username']);
-		$jab_password		= $request->variable('jab_password',		(string) $config['jab_password']);
-		$jab_package_size	= $request->variable('jab_package_size',	(int) $config['jab_package_size']);
-		$jab_use_ssl		= $request->variable('jab_use_ssl',		(bool) $config['jab_use_ssl']);
+		$jab_enable				= $request->variable('jab_enable',			(bool) $config['jab_enable']);
+		$jab_host				= $request->variable('jab_host',			(string) $config['jab_host']);
+		$jab_port				= $request->variable('jab_port',			(int) $config['jab_port']);
+		$jab_username			= $request->variable('jab_username',		(string) $config['jab_username']);
+		$jab_password			= $request->variable('jab_password',		(string) $config['jab_password']);
+		$jab_package_size		= $request->variable('jab_package_size',	(int) $config['jab_package_size']);
+		$jab_use_ssl			= $request->variable('jab_use_ssl',		(bool) $config['jab_use_ssl']);
+		$jab_verify_peer		= $request->variable('jab_verify_peer',		(bool) $config['jab_verify_peer']);
+		$jab_verify_peer_name	= $request->variable('jab_verify_peer_name',	(bool) $config['jab_verify_peer_name']);
+		$jab_allow_self_signed	= $request->variable('jab_allow_self_signed',	(bool) $config['jab_allow_self_signed']);
 
 		$form_name = 'acp_jabber';
 		add_form_key($form_name);
@@ -73,7 +76,7 @@ class acp_jabber
 			// Is this feature enabled? Then try to establish a connection
 			if ($jab_enable)
 			{
-				$jabber = new jabber($jab_host, $jab_port, $jab_username, $jab_password, $jab_use_ssl);
+				$jabber = new jabber($jab_host, $jab_port, $jab_username, $jab_password, $jab_use_ssl, $jab_verify_peer, $jab_verify_peer_name, $jab_allow_self_signed);
 
 				if (!$jabber->connect())
 				{
@@ -113,6 +116,9 @@ class acp_jabber
 			}
 			$config->set('jab_package_size', $jab_package_size);
 			$config->set('jab_use_ssl', $jab_use_ssl);
+			$config->set('jab_verify_peer', $jab_verify_peer);
+			$config->set('jab_verify_peer_name', $jab_verify_peer_name);
+			$config->set('jab_allow_self_signed', $jab_allow_self_signed);
 
 			$phpbb_log->add('admin', $user->data['user_id'], $user->ip, 'LOG_' . $log);
 			trigger_error($message . adm_back_link($this->u_action));
@@ -128,6 +134,9 @@ class acp_jabber
 			'JAB_PASSWORD'			=> $jab_password !== '' ? '********' : '',
 			'JAB_PACKAGE_SIZE'		=> $jab_package_size,
 			'JAB_USE_SSL'			=> $jab_use_ssl,
+			'JAB_VERIFY_PEER'		=> $jab_verify_peer,
+			'JAB_VERIFY_PEER_NAME'	=> $jab_verify_peer_name,
+			'JAB_ALLOW_SELF_SIGNED'	=> $jab_allow_self_signed,
 			'S_CAN_USE_SSL'			=> jabber::can_use_ssl(),
 			'S_GTALK_NOTE'			=> (!@function_exists('dns_get_record')) ? true : false,
 		));
diff --git a/phpBB/includes/functions_jabber.php b/phpBB/includes/functions_jabber.php
index a38888a861..cfe8c2a90e 100644
--- a/phpBB/includes/functions_jabber.php
+++ b/phpBB/includes/functions_jabber.php
@@ -41,6 +41,9 @@ class jabber
 	var $username;
 	var $password;
 	var $use_ssl;
+	var $verify_peer;
+	var $verify_peer_name;
+	var $allow_self_signed;
 	var $resource = 'functions_jabber.phpbb.php';
 
 	var $enable_logging;
@@ -49,8 +52,18 @@ class jabber
 	var $features = array();
 
 	/**
+	* Constructor
+	*
+	* @param string $server Jabber server
+	* @param int $port Jabber server port
+	* @param string $username Jabber username or JID
+	* @param string $password Jabber password
+	* @param boold $use_ssl Use ssl
+	* @param bool $verify_peer Verify SSL certificate
+	* @param bool $verify_peer_name Verify Jabber peer name
+	* @param bool $allow_self_signed Allow self signed certificates
 	*/
-	function jabber($server, $port, $username, $password, $use_ssl = false)
+	function __construct($server, $port, $username, $password, $use_ssl = false, $verify_peer = true, $verify_peer_name = true, $allow_self_signed = false)
 	{
 		$this->connect_server		= ($server) ? $server : 'localhost';
 		$this->port					= ($port) ? $port : 5222;
@@ -71,6 +84,9 @@ class jabber
 
 		$this->password				= $password;
 		$this->use_ssl				= ($use_ssl && self::can_use_ssl()) ? true : false;
+		$this->verify_peer			= $verify_peer;
+		$this->verify_peer_name		= $verify_peer_name;
+		$this->allow_self_signed	= $allow_self_signed;
 
 		// Change port if we use SSL
 		if ($this->port == 5222 && $this->use_ssl)
@@ -95,7 +111,7 @@ class jabber
 	*/
 	static public function can_use_tls()
 	{
-		if (!@extension_loaded('openssl') || !function_exists('stream_socket_enable_crypto') || !function_exists('stream_get_meta_data') || !function_exists('socket_set_blocking') || !function_exists('stream_get_wrappers'))
+		if (!@extension_loaded('openssl') || !function_exists('stream_socket_enable_crypto') || !function_exists('stream_get_meta_data') || !function_exists('stream_set_blocking') || !function_exists('stream_get_wrappers'))
 		{
 			return false;
 		}
@@ -138,7 +154,7 @@ class jabber
 
 		$this->session['ssl'] = $this->use_ssl;
 
-		if ($this->open_socket($this->connect_server, $this->port, $this->use_ssl))
+		if ($this->open_socket($this->connect_server, $this->port, $this->use_ssl, $this->verify_peer, $this->verify_peer_name, $this->allow_self_signed))
 		{
 			$this->send("<?xml version='1.0' encoding='UTF-8' ?" . ">\n");
 			$this->send("<stream:stream to='{$this->server}' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>\n");
@@ -226,10 +242,13 @@ class jabber
 	* @param string $server host to connect to
 	* @param int $port port number
 	* @param bool $use_ssl use ssl or not
+	* @param bool $verify_peer verify ssl certificate
+	* @param bool $verify_peer_name verify peer name
+	* @param bool $allow_self_signed allow self-signed ssl certificates
 	* @access public
 	* @return bool
 	*/
-	function open_socket($server, $port, $use_ssl = false)
+	function open_socket($server, $port, $use_ssl, $verify_peer, $verify_peer_name, $allow_self_signed)
 	{
 		if (@function_exists('dns_get_record'))
 		{
@@ -240,12 +259,26 @@ class jabber
 			}
 		}
 
-		$server = $use_ssl ? 'ssl://' . $server : $server;
+		$options = array();
 
-		if ($this->connection = @fsockopen($server, $port, $errorno, $errorstr, $this->timeout))
+		if ($use_ssl)
 		{
-			socket_set_blocking($this->connection, 0);
-			socket_set_timeout($this->connection, 60);
+			$remote_socket = 'ssl://' . $server . ':' . $port;
+
+			// Set ssl context options, see http://php.net/manual/en/context.ssl.php
+			$options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed);
+		}
+		else
+		{
+			$remote_socket = $server . ':' . $port;
+		}
+
+		$socket_context = stream_context_create($options);
+
+		if ($this->connection = @stream_socket_client($remote_socket, $errorno, $errorstr, $this->timeout, STREAM_CLIENT_CONNECT, $socket_context))
+		{
+			stream_set_blocking($this->connection, 0);
+			stream_set_timeout($this->connection, 60);
 
 			return true;
 		}
@@ -562,7 +595,7 @@ class jabber
 			case 'proceed':
 				// continue switching to TLS
 				$meta = stream_get_meta_data($this->connection);
-				socket_set_blocking($this->connection, 1);
+				stream_set_blocking($this->connection, 1);
 
 				if (!stream_socket_enable_crypto($this->connection, true, STREAM_CRYPTO_METHOD_TLS_CLIENT))
 				{
@@ -570,7 +603,7 @@ class jabber
 					return false;
 				}
 
-				socket_set_blocking($this->connection, $meta['blocked']);
+				stream_set_blocking($this->connection, $meta['blocked']);
 				$this->session['tls'] = true;
 
 				// new stream
diff --git a/phpBB/includes/functions_messenger.php b/phpBB/includes/functions_messenger.php
index 802246c1c5..d2cbbb17f1 100644
--- a/phpBB/includes/functions_messenger.php
+++ b/phpBB/includes/functions_messenger.php
@@ -618,7 +618,7 @@ class messenger
 		if (!$use_queue)
 		{
 			include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx);
-			$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl']);
+			$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
 
 			if (!$this->jabber->connect())
 			{
@@ -818,7 +818,7 @@ class queue
 					}
 
 					include_once($phpbb_root_path . 'includes/functions_jabber.' . $phpEx);
-					$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl']);
+					$this->jabber = new jabber($config['jab_host'], $config['jab_port'], $config['jab_username'], htmlspecialchars_decode($config['jab_password']), $config['jab_use_ssl'], $config['jab_verify_peer'], $config['jab_verify_peer_name'], $config['jab_allow_self_signed']);
 
 					if (!$this->jabber->connect())
 					{
@@ -1089,7 +1089,7 @@ function smtpmail($addresses, $subject, $message, &$err_msg, $headers = false)
 	$options['ssl'] = array('verify_peer' => $verify_peer, 'verify_peer_name' => $verify_peer_name, 'allow_self_signed' => $allow_self_signed);
 	$socket_context = stream_context_create($options);
 
-	$smtp->socket = stream_socket_client($remote_socket, $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $socket_context);
+	$smtp->socket = @stream_socket_client($remote_socket, $errno, $errstr, 20, STREAM_CLIENT_CONNECT, $socket_context);
 	$collector->uninstall();
 	$error_contents = $collector->format_errors();
 
diff --git a/phpBB/language/en/acp/board.php b/phpBB/language/en/acp/board.php
index 4b9a50c05e..4db8a02405 100644
--- a/phpBB/language/en/acp/board.php
+++ b/phpBB/language/en/acp/board.php
@@ -602,20 +602,26 @@ $lang = array_merge($lang, array(
 $lang = array_merge($lang, array(
 	'ACP_JABBER_SETTINGS_EXPLAIN'	=> 'Here you can enable and control the use of Jabber for instant messaging and board notifications. Jabber is an open source protocol and therefore available for use by anyone. Some Jabber servers include gateways or transports which allow you to contact users on other networks. Not all servers offer all transports and changes in protocols can prevent transports from operating. Please be sure to enter already registered account details - phpBB will use the details you enter here as is.',
 
-	'JAB_ENABLE'				=> 'Enable Jabber',
-	'JAB_ENABLE_EXPLAIN'		=> 'Enables use of Jabber messaging and notifications.',
-	'JAB_GTALK_NOTE'			=> 'Please note that GTalk will not work because the <samp>dns_get_record</samp> function could not be found. This function is not available in PHP4, and is not implemented on Windows platforms. It currently does not work on BSD-based systems, including Mac OS.',
-	'JAB_PACKAGE_SIZE'			=> 'Jabber package size',
-	'JAB_PACKAGE_SIZE_EXPLAIN'	=> 'This is the number of messages sent in one package. If set to 0 the message is sent immediately and will not be queued for later sending.',
-	'JAB_PASSWORD'				=> 'Jabber password',
-	'JAB_PASSWORD_EXPLAIN'		=> '<em><strong>Warning:</strong> This password will be stored as plain text in the database, visible to everybody who can access your database or who can view this configuration page.</em>',
-	'JAB_PORT'					=> 'Jabber port',
-	'JAB_PORT_EXPLAIN'			=> 'Leave blank unless you know it is not port 5222.',
-	'JAB_SERVER'				=> 'Jabber server',
-	'JAB_SERVER_EXPLAIN'		=> 'See %sjabber.org%s for a list of servers.',
-	'JAB_SETTINGS_CHANGED'		=> 'Jabber settings changed successfully.',
-	'JAB_USE_SSL'				=> 'Use SSL to connect',
-	'JAB_USE_SSL_EXPLAIN'		=> 'If enabled a secure connection is tried to be established. The Jabber port will be modified to 5223 if port 5222 is specified.',
-	'JAB_USERNAME'				=> 'Jabber username or JID',
-	'JAB_USERNAME_EXPLAIN'		=> 'Specify a registered username or a valid JID. The username will not be checked for validity. If you only specify a username, then your JID will be the username and the server you specified above. Else, specify a valid JID, for example user@jabber.org.',
+	'JAB_ALLOW_SELF_SIGNED'			=> 'Allow self-signed SSL certificates',
+	'JAB_ALLOW_SELF_SIGNED_EXPLAIN'	=> 'Allow connections to Jabber server with self-signed SSL certificate.<em><strong>Warning:</strong> Allowing self-signed SSL certificates may cause security implications.</em>',
+	'JAB_ENABLE'					=> 'Enable Jabber',
+	'JAB_ENABLE_EXPLAIN'			=> 'Enables use of Jabber messaging and notifications.',
+	'JAB_GTALK_NOTE'				=> 'Please note that GTalk will not work because the <samp>dns_get_record</samp> function could not be found. This function is not available in PHP4, and is not implemented on Windows platforms. It currently does not work on BSD-based systems, including Mac OS.',
+	'JAB_PACKAGE_SIZE'				=> 'Jabber package size',
+	'JAB_PACKAGE_SIZE_EXPLAIN'		=> 'This is the number of messages sent in one package. If set to 0 the message is sent immediately and will not be queued for later sending.',
+	'JAB_PASSWORD'					=> 'Jabber password',
+	'JAB_PASSWORD_EXPLAIN'			=> '<em><strong>Warning:</strong> This password will be stored as plain text in the database, visible to everybody who can access your database or who can view this configuration page.</em>',
+	'JAB_PORT'						=> 'Jabber port',
+	'JAB_PORT_EXPLAIN'				=> 'Leave blank unless you know it is not port 5222.',
+	'JAB_SERVER'					=> 'Jabber server',
+	'JAB_SERVER_EXPLAIN'			=> 'See %sjabber.org%s for a list of servers.',
+	'JAB_SETTINGS_CHANGED'			=> 'Jabber settings changed successfully.',
+	'JAB_USE_SSL'					=> 'Use SSL to connect',
+	'JAB_USE_SSL_EXPLAIN'			=> 'If enabled a secure connection is tried to be established. The Jabber port will be modified to 5223 if port 5222 is specified.',
+	'JAB_USERNAME'					=> 'Jabber username or JID',
+	'JAB_USERNAME_EXPLAIN'			=> 'Specify a registered username or a valid JID. The username will not be checked for validity. If you only specify a username, then your JID will be the username and the server you specified above. Else, specify a valid JID, for example user@jabber.org.',
+	'JAB_VERIFY_PEER'				=> 'Verify SSL certificate',
+	'JAB_VERIFY_PEER_EXPLAIN'		=> 'Require verification of SSL certificate used by Jabber server.<em><strong>Warning:</strong> Connecting peers with unverified SSL certificates may cause security implications.</em>',
+	'JAB_VERIFY_PEER_NAME'			=> 'Verify Jabber peer name',
+	'JAB_VERIFY_PEER_NAME_EXPLAIN'	=> 'Require verification of peer name for Jabber servers using SSL / TLS connections.<em><strong>Warning:</strong> Connecting to unverified peers may cause security implications.</em>',
 ));
diff --git a/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php b/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php
new file mode 100644
index 0000000000..9f416fe069
--- /dev/null
+++ b/phpBB/phpbb/db/migration/data/v31x/add_jabber_ssl_context_config_options.php
@@ -0,0 +1,32 @@
+<?php
+/**
+*
+* This file is part of the phpBB Forum Software package.
+*
+* @copyright (c) phpBB Limited <https://www.phpbb.com>
+* @license GNU General Public License, version 2 (GPL-2.0)
+*
+* For full copyright and license information, please see
+* the docs/CREDITS.txt file.
+*
+*/
+
+namespace phpbb\db\migration\data\v31x;
+
+class add_jabber_ssl_context_config_options extends \phpbb\db\migration\migration
+{
+	static public function depends_on()
+	{
+		return array('\phpbb\db\migration\data\v31x\v3110');
+	}
+
+	public function update_data()
+	{
+		return array(
+			// See http://php.net/manual/en/context.ssl.php
+			array('config.add', array('jab_verify_peer', 1)),
+			array('config.add', array('jab_verify_peer_name', 1)),
+			array('config.add', array('jab_allow_self_signed', 0)),
+		);
+	}
+}