Re: [SOLVED sort of] was Re: svn 14501 - TLS

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

David Highley
> From [hidden email]  Tue Jun 16 22:10:00 2015
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> douglas.highley-recommended.com
> X-Spam-Level:
> X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,
> HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
> RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD,URI_NOVOWEL
> autolearn=ham autolearn_force=no version=3.4.1
> Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
> designates 209.85.223.179 as permitted sender)
> client-ip=209.85.223.179; envelope-from=[hidden email];
> helo=mail-ie0-f179.google.com;
> MIME-Version: 1.0
> X-Received: by 10.107.3.83 with SMTP id 80mr4956132iod.33.1434517723792; Tue,
> 16 Jun 2015 22:08:43 -0700 (PDT)
> In-Reply-To: <[hidden email]>
> References: <[hidden email]>
> Date: Tue, 16 Jun 2015 22:08:43 -0700
> X-Google-Sender-Auth: MeysZW7wkHYclnL8-EEKJOuKnD8
> Message-ID: <[hidden email]>
> From: Paul Lesniewski <[hidden email]>
> To: Squirrelmail User Support Mailing List
> <[hidden email]>
> X-Headers-End: 1Z55aj-0001Jp-2l
> Subject: Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS
> X-BeenThere: [hidden email]
> X-Mailman-Version: 2.1.9
> Precedence: list
> Reply-To: [hidden email],
>         Squirrelmail User Support Mailing List
> <[hidden email]>
> List-Id: Squirrelmail User Support Mailing List
> <squirrelmail-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> <mailto:[hidden email]?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=squirrelmail-users>
> List-Post: <mailto:[hidden email]>
> List-Help: <mailto:[hidden email]?subject=help>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> <mailto:[hidden email]?subject=subscribe>
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: [hidden email]
> X-UID: 13513                                                  
> Content-Length: 7147
>
> On 6/16/15, David Highley <[hidden email]> wrote:
> > Forwarded message:
> >> From [hidden email]  Tue Jun 16 15:23:03
> >> 2015
> >> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> >> douglas.highley-recommended.com
> >> X-Spam-Level:
> >> X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,
> >> HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
> >> RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD,URI_NOVOWEL
> >> autolearn=ham autolearn_force=no version=3.4.1
> >> Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
> >> designates 209.85.223.178 as permitted sender)
> >> client-ip=209.85.223.178; envelope-from=[hidden email];
> >> helo=mail-ie0-f178.google.com;
> >> MIME-Version: 1.0
> >> X-Received: by 10.107.47.26 with SMTP id
> >> j26mr3605774ioo.17.1434493235169;
> >> Tue, 16 Jun 2015 15:20:35 -0700 (PDT)
> >> In-Reply-To: <[hidden email]>
> >> References: <[hidden email]>
> >> <[hidden email]>
> >> <[hidden email]>
> >> <[hidden email]>
> >> <[hidden email]>
> >> <[hidden email]>
> >> <[hidden email]>
> >> Date: Tue, 16 Jun 2015 15:20:35 -0700
> >> X-Google-Sender-Auth: hKjg5Rm-1yt9Ix3lpQ8VKu1rM88
> >> Message-ID:
> >> <[hidden email]>
> >> From: Paul Lesniewski <[hidden email]>
> >> To: Squirrelmail User Support Mailing List
> >> <[hidden email]>
> >> X-Headers-End: 1Z4zDk-0007IS-ER
> >> Subject: Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS
> >>  handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert
> >>  number 48
> >> X-BeenThere: [hidden email]
> >> X-Mailman-Version: 2.1.9
> >> Precedence: list
> >> Reply-To: [hidden email],
> >>         Squirrelmail User Support Mailing List
> >> <[hidden email]>
> >> List-Id: Squirrelmail User Support Mailing List
> >> <squirrelmail-users.lists.sourceforge.net>
> >> List-Unsubscribe:
> >> <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> >> <mailto:[hidden email]?subject=unsubscribe>
> >> List-Archive:
> >> <http://sourceforge.net/mailarchive/forum.php?forum_name=squirrelmail-users>
> >> List-Post: <mailto:[hidden email]>
> >> List-Help:
> >> <mailto:[hidden email]?subject=help>
> >> List-Subscribe:
> >> <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> >> <mailto:[hidden email]?subject=subscribe>
> >> Content-Type: text/plain; charset="us-ascii"
> >> Content-Transfer-Encoding: 7bit
> >> Errors-To: [hidden email]
> >>
> >> On 6/14/15, David C. Rankin <[hidden email]> wrote:
> >> > On 06/14/2015 08:00 PM, David C. Rankin wrote:
> >> >> On 06/14/2015 07:05 PM, David C. Rankin wrote:
> >> >>> Checking outgoing mail service....
> >> >>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
> >> >>>
> >> >>>      I think you have nailed the issue as a 'ca' problem which makes
> >> >>> sense with
> >> >>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know
> >> >>> when you
> >> >>> have a chance to look into this. I'm happy to do the digging.
> >> >>
> >> >> I think I have made progress. It looks like the problem is with the
> >> >> way
> >> >> squirrelmail handles the certificate check. I made several changes and
> >> >> how
> >> >> configtest.php gives the following error:
> >> >>
> >> >> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not
> >> >> match
> >> >> expected
> >> >> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php
> >> >> on
> >> >> line
> >> >> 740 Warning: fsockopen(): Failed to enable crypto in
> >> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
> >> >> Warning:
> >> >> fsockopen(): unable to connect to tls://localhost:993 (Unknown error)
> >> >> in
> >> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
> >> >>
> >> >> Seeing the CN mismatch, I set config_local.php with 'verify_peer' =>
> >> >> false:
> >> >>
> >> >> $imap_stream_options = array(
> >> >>       'ssl' => array(
> >> >>           'cafile' =>
> >> >> '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
> >> >>           'verify_peer' => false,
> >> >>           'verify_depth' => 3,
> >> >>       ),
> >> >> );
> >> >>
> >> >> However, that made no difference. (*Note:* with php 5.6+ the default
> >> >> for
> >> >> verify_peer is now 'true' -- I don't know if that prevents override in
> >> >> config_local.php) Let me know when you have some time and I'm glad to
> >> >> help.
> >> >>
> >> >
> >> >    For whatever reason, and for reasons I cannot explain, squirrelmail
> >> > can
> >> > no
> >> > longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl)
> >> > when
> >>
> >> SquirrelMail accepts any hostname it is given.  It's not a matter of
> >> what SquirrelMail can and cannot accept.  It's purely a configuration
> >> mismatch with your PHP and Dovecot SSL settings and the certificates
> >> you are using (and their CA).  There is no SquirrelMail "fix" for
> >> this.  If verify_peer is enabled, then you need to have your ducks in
> >> a row in terms of the things you've been seeing: CA needs to be known,
> >> CN needs to match, etc.
> >
> > First of all why is it only squirrelmail that is confused. In our case
> > there are two hosts involved in this not just the localhost so how is
> > squirrelmail going to verify beyond the normal ssl process? How would it
> > be able to see a CA file that is not on the host it is running on.
>
> SquirrelMail is not confused about anything.  Apparently you have
> misconfigured your PHP SSL settings and/or the ones on your IMAP
> server.  A CA can be used to sign more than one certificate and is not
> restricted to any one server.  If you don't understand how certificate
> generation and signing works, you should do more research and learning
> or perhaps avoid using self-signed certs.
>
> > Another missed concept is the practice of using DNS CNAME aliases for a
> > host, like mail.domain.com, so that things are not hardcoded all over
> > the place and you can move functionality around without going to n
> > places to change hardcoding. In that case the host provide is not in the
> > ssl cert.
>
> Nothing has to be hard coded. You have some knowledge gaps that need
> to be filled, after which your journey to correct your SSL
> configuration will become easier.

We know all those things about certificates. We think were finally getting
the root of the issue, but have not been able to find the solution. The
following test fails:
openssl s_client -connect douglas.highley-recommended.com:993
-starttls imap

It makes the connection but I'm not able to login. If we take the
-starttls imap off then I'm able to login. Done a bunch of Google
searches but have not found a solution.

Before you ask we have completely opened the firewall between the two
hosts and put selinux in Permissive mode.

>
> --
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
> ------------------------------------------------------------------------------
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors
network devices and physical & virtual servers, alerts via email & sms
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Loading...