Quantcast

svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
Paul,

   After 1.5.2 update to svn 14501, I can no longer log in to squirrelmail. I
have used the same squirrelmail setup for at least the last 6-8 years. The
current server is:

Server : Archlinux x86_64  (squirrelmail on same machine)
apache : 2.4.12-4
dovecot: 2.2.18-1

   It had been many months since the last update. So I did the normal 'svn
update *'. Then ran config/conf.pl and check the config -- all good. (saved the
new config as suggested in doc/UPGRADE).

   In the past, squirrelmail has not checked whether whether the dovecot.pem
certs were expired, but upon first attempt to login I received the following
failure:

Jun 12 17:58:22 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL
alert number 45, session=<b1x8C1oYlQAAAAAAAAAAAAAAAAAAAAAB>

   Checking the cert with: 'openssl x509 -in certs/dovecot.pem -noout -text'
showed that the cert was expired:

             Not Before: Dec  6 05:06:32 2013 GMT
             Not After : Dec  6 05:06:32 2014 GMT

   So I regenerated and installed the new certificates:

             Not Before: Jun 12 23:21:37 2015 GMT
             Not After : Jun 11 23:21:37 2016 GMT

   All operation through Thunderbird (sending/receiving) works fine with the new
certificates, so the server isn't the issue -- it's squirrelmail. Attempted
login via squirrelmail still fails:

Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert
number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB>

   Strange? The error has changed from:

TLS handshaking: SSL_accept() failed: error:14094415:SSL
routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45

   to

TLS handshaking: SSL_accept() failed: error:14094418:SSL
routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

   So something in squirrelmail isn't handling the TLS handshaking: SSL_accept()
quite like it used to.

   Let me know what else I can do or test to help isolate the problem. I'd like
to get me squirrelmail install back up and running or I will have a lot of upset
users in the morning.

   Any help appreciated. Thanks.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/12/2015 07:02 PM, David C. Rankin wrote:
> Paul,
>
>     After 1.5.2 update to svn 14501, I can no longer log in to squirrelmail. I
> have used the same squirrelmail setup for at least the last 6-8 years. The

<snip>

>     All operation through Thunderbird (sending/receiving) works fine with the new
> certificates, so the server isn't the issue -- it's squirrelmail. Attempted
> login via squirrelmail still fails:
>
> Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert
> number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB>
>
>     Strange? The error has changed from:
>
> TLS handshaking: SSL_accept() failed: error:14094415:SSL
> routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45
>
>     to
>
> TLS handshaking: SSL_accept() failed: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
>
>     So something in squirrelmail isn't handling the TLS handshaking: SSL_accept()
> quite like it used to.
>

Paul,

   I have a second site that is still at 1.5.2 svn rev 14405 that continues to
work (same Archlinux setup - not quite as current). Looking at the log entries
for a successful login with rev 14405, I see:

Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
rip=::1, lip=::1, mpid=1359, TLS, session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB>
Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out in=60 out=783
Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
rip=::1, lip=::1, mpid=1361, TLS, session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB>
Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out in=126
out=3025
Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
rip=::1, lip=::1, mpid=1363, TLS, session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB>
Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out in=340
out=24924

   Comparing the failing login with rev 14501 and the working login with rev
14405, the immediate difference is the use of

   'user=<david>, method=PLAIN'

instead of the

   'user=<>, rip=::1, lip=::1, TLS handshaking'

   I'm not sure what in squirrelmail controls what method the server uses, but
this seems to be the immediate cause behind the failed login with rev 14501.

   On the updated site, a successful dovecot login from thunderbird looks like
the following:

Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>,
method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS,
session=<wLVq0FsYMwDAqAcQ>
Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged out
in=39 out=751
Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>,
method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS,
session=<ewaM0FsYNADAqAcQ>
Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged out
in=41 out=719

   In both instances (successful login on old rev 14405) and login through
thunderbird on the updated server, since all services (postfix, dovecot, etc.)
are all running on the local machine, the login with method=PLAIN, works fine,
but whatever/however rev 14501 is attempting the login -- it is failing.

   Let me know how else I can help, what additional tests you need to see,
etc... and I'll be happy to run them for you and submit the results.

   Thanks.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/13/2015 12:11 AM, David C. Rankin wrote:

> On 06/12/2015 07:02 PM, David C. Rankin wrote:
>> Paul,
>>
>>      After 1.5.2 update to svn 14501, I can no longer log in to squirrelmail. I
>> have used the same squirrelmail setup for at least the last 6-8 years. The
>
> <snip>
>
>>      All operation through Thunderbird (sending/receiving) works fine with the new
>> certificates, so the server isn't the issue -- it's squirrelmail. Attempted
>> login via squirrelmail still fails:
>>
>> Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
>> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
>> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert
>> number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB>
>>
>>      Strange? The error has changed from:
>>
>> TLS handshaking: SSL_accept() failed: error:14094415:SSL
>> routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45
>>
>>      to
>>
>> TLS handshaking: SSL_accept() failed: error:14094418:SSL
>> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
>>
>>      So something in squirrelmail isn't handling the TLS handshaking: SSL_accept()
>> quite like it used to.
>>
>
> Paul,
>
>     I have a second site that is still at 1.5.2 svn rev 14405 that continues to
> work (same Archlinux setup - not quite as current). Looking at the log entries
> for a successful login with rev 14405, I see:
>
> Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1359, TLS, session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out in=60 out=783
> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1361, TLS, session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out in=126
> out=3025
> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1363, TLS, session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out in=340
> out=24924
>
>     Comparing the failing login with rev 14501 and the working login with rev
> 14405, the immediate difference is the use of
>
>     'user=<david>, method=PLAIN'
>
> instead of the
>
>     'user=<>, rip=::1, lip=::1, TLS handshaking'
>
>     I'm not sure what in squirrelmail controls what method the server uses, but
> this seems to be the immediate cause behind the failed login with rev 14501.
>
>     On the updated site, a successful dovecot login from thunderbird looks like
> the following:
>
> Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>,
> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS,
> session=<wLVq0FsYMwDAqAcQ>
> Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged out
> in=39 out=751
> Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>,
> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS,
> session=<ewaM0FsYNADAqAcQ>
> Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged out
> in=41 out=719
>
>     In both instances (successful login on old rev 14405) and login through
> thunderbird on the updated server, since all services (postfix, dovecot, etc.)
> are all running on the local machine, the login with method=PLAIN, works fine,
> but whatever/however rev 14501 is attempting the login -- it is failing.
>
>     Let me know how else I can help, what additional tests you need to see,
> etc... and I'll be happy to run them for you and submit the results.
>
>     Thanks.
>

Paul,

   This is now looking more like a problem squirrelmail is having with Postfix
3. All the installs I have, up to and including Postfix 2.9 work. However this
latest Archlinux box has Postfix 3.

   Specifically, the server on which I have 14405 has:

postfix 2.9.3-3

   The server with 14501 that is failing has:

postfix 3.0.1-1

   This can be seen with configtest.php results. All check succeed until the
'Checkin IMAP server' test which fails at line 740 of configtest.php:

/** Can we open a connection? */
$stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, $imapPort,
         $errorNumber, $errorString);

Which I've compared with the test in rev 14405 and they are the same, so it
isn't the test that is causing the failure, but rather something internal to
squirrelmail handling Postfix 3.0/dovecot. Here is the full configtest output:

SquirrelMail configtest

This script will try to check some aspects of your SquirrelMail configuration
and point you to errors whereever it can find them. You need to go run conf.pl
in the config/ directory first before you run this script.

SquirrelMail version: 1.5.2 [SVN]
Config file version: 1.5.0
Config file last modified: 13 June 2015 23:31:25

Checking PHP configuration...
     PHP version 5.6.9 OK. (You have: 5.6.9. Minimum: 4.1.0)
     Running as N/A(N/A) / N/A(N/A)
     display_errors: (overridden with 1 for this page only)
     error_reporting: 22527 (overridden with 32767 for this page only)
     variables_order OK: GPCS.
     PHP extensions OK. Dynamic loading is disabled.

     WARNING: You have configured PHP not to allow short tags
(short_open_tag=off). This shouldn't be a problem with SquirrelMail or any
plugin coded coded according to the SquirrelMail Coding Guidelines, but if you
experience problems with PHP code being displayed in some of the pages and
changing setting to "on" solves the problem, please file a bug report against
the failing plugin. The correct contact information is most likely to be found
in the plugin documentation.
Checking paths...
     Data dir OK.
     Attachment dir OK.
Checking plugins...
     Plugin versions...
         squirrelspell 0.5
         calendar ??
     Plugins OK.
     Themes OK.
     Default language OK.
     Base URL detected as: http://www.*******.com:443/squirrelmail/src (location
base autodetected)
Checking outgoing mail service....
     SMTP server OK (220 myhost.*******.com ESMTP Postfix)
Checking IMAP service....
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed in /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning:
fsockopen(): Failed to enable crypto in
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning:
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740

     FATAL ERROR: Error connecting to IMAP server "localhost:993".Server error: (0)

   I tarred and moved the working rev 14405 to the new server, (checked diff
between the config.php files and they were the same for all practical purposes).
Updated the config for the site and ran configtest.php. Exact same error (except
the line number is 739 on ref 14405):

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
failed in /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739
Warning: fsockopen(): Failed to enable crypto in
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 Warning:
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739

   What does this tell us? It tells us the problem is a change to either the
imap server, TLS or PHP that squirrelmail isn't handling properly. That's the
only thing that makes sense. If it were a change in squirrelmail, the moving
14405 over to the new server would have produces a working install. Instead
14405 experiences the same failure that 14501 does. That points directly to an
update most likely in postfix (2x -> 3x) causing the issue.

   In summary the working install has

postfix 2.9.3-3
dovecot 2.1.8-2

   The failures are occurring with:

postfix 3.0.1-1
dovecot 2.2.18-1

   Between the two, the most significant API changes that are likely at issue
are those in the move from postfix 2.9.3-3 ->  postfix 3.0.1-1.

   Let me know if I can send anything else.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

Paul Lesniewski
On 6/13/15, David C. Rankin <[hidden email]> wrote:

> On 06/13/2015 12:11 AM, David C. Rankin wrote:
>> On 06/12/2015 07:02 PM, David C. Rankin wrote:
>>> Paul,
>>>
>>>      After 1.5.2 update to svn 14501, I can no longer log in to
>>> squirrelmail. I
>>> have used the same squirrelmail setup for at least the last 6-8 years.
>>> The
>>
>> <snip>
>>
>>>      All operation through Thunderbird (sending/receiving) works fine
>>> with the new
>>> certificates, so the server isn't the issue -- it's squirrelmail.
>>> Attempted
>>> login via squirrelmail still fails:
>>>
>>> Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth
>>> attempts
>>> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept()
>>> failed:
>>> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL
>>> alert
>>> number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB>
>>>
>>>      Strange? The error has changed from:
>>>
>>> TLS handshaking: SSL_accept() failed: error:14094415:SSL
>>> routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert
>>> number 45
>>>
>>>      to
>>>
>>> TLS handshaking: SSL_accept() failed: error:14094418:SSL
>>> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48

Sorry, I'm short on time, but I think you may need to look at
$imap_stream_options in config/config_local.php.  Get a fresh copy of
that file if you have an old one.  You can use $imap_stream_options to
point it to your CA if you are using self signed certs and you can
also turn off verify_peer if you must.

Note that logging in to SquirrelMail has nothing to do with Postfix.
SquirrelMail only talks to Postfix when sending messages, although
it's entirely possible you'd run into the same problem with that since
a similar change was made for the SMTP side.  For that, again, please
see config/config_local.php and look for $smtp_stream_options

Cheers,
Paul

>>>      So something in squirrelmail isn't handling the TLS handshaking:
>>> SSL_accept()
>>> quite like it used to.
>>>
>>
>> Paul,
>>
>>     I have a second site that is still at 1.5.2 svn rev 14405 that
>> continues to
>> work (same Archlinux setup - not quite as current). Looking at the log
>> entries
>> for a successful login with rev 14405, I see:
>>
>> Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>,
>> method=PLAIN,
>> rip=::1, lip=::1, mpid=1359, TLS,
>> session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB>
>> Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out
>> in=60 out=783
>> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>,
>> method=PLAIN,
>> rip=::1, lip=::1, mpid=1361, TLS,
>> session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB>
>> Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out
>> in=126
>> out=3025
>> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>,
>> method=PLAIN,
>> rip=::1, lip=::1, mpid=1363, TLS,
>> session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB>
>> Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out
>> in=340
>> out=24924
>>
>>     Comparing the failing login with rev 14501 and the working login with
>> rev
>> 14405, the immediate difference is the use of
>>
>>     'user=<david>, method=PLAIN'
>>
>> instead of the
>>
>>     'user=<>, rip=::1, lip=::1, TLS handshaking'
>>
>>     I'm not sure what in squirrelmail controls what method the server
>> uses, but
>> this seems to be the immediate cause behind the failed login with rev
>> 14501.
>>
>>     On the updated site, a successful dovecot login from thunderbird looks
>> like
>> the following:
>>
>> Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>,
>> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS,
>> session=<wLVq0FsYMwDAqAcQ>
>> Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged
>> out
>> in=39 out=751
>> Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>,
>> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS,
>> session=<ewaM0FsYNADAqAcQ>
>> Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged
>> out
>> in=41 out=719
>>
>>     In both instances (successful login on old rev 14405) and login
>> through
>> thunderbird on the updated server, since all services (postfix, dovecot,
>> etc.)
>> are all running on the local machine, the login with method=PLAIN, works
>> fine,
>> but whatever/however rev 14501 is attempting the login -- it is failing.
>>
>>     Let me know how else I can help, what additional tests you need to
>> see,
>> etc... and I'll be happy to run them for you and submit the results.
>>
>>     Thanks.
>>
>
> Paul,
>
>    This is now looking more like a problem squirrelmail is having with
> Postfix
> 3. All the installs I have, up to and including Postfix 2.9 work. However
> this
> latest Archlinux box has Postfix 3.
>
>    Specifically, the server on which I have 14405 has:
>
> postfix 2.9.3-3
>
>    The server with 14501 that is failing has:
>
> postfix 3.0.1-1
>
>    This can be seen with configtest.php results. All check succeed until the
>
> 'Checkin IMAP server' test which fails at line 740 of configtest.php:
>
> /** Can we open a connection? */
> $stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress,
> $imapPort,
>          $errorNumber, $errorString);
>
> Which I've compared with the test in rev 14405 and they are the same, so it
>
> isn't the test that is causing the failure, but rather something internal to
>
> squirrelmail handling Postfix 3.0/dovecot. Here is the full configtest
> output:
>
> SquirrelMail configtest
>
> This script will try to check some aspects of your SquirrelMail
> configuration
> and point you to errors whereever it can find them. You need to go run
> conf.pl
> in the config/ directory first before you run this script.
>
> SquirrelMail version: 1.5.2 [SVN]
> Config file version: 1.5.0
> Config file last modified: 13 June 2015 23:31:25
>
> Checking PHP configuration...
>      PHP version 5.6.9 OK. (You have: 5.6.9. Minimum: 4.1.0)
>      Running as N/A(N/A) / N/A(N/A)
>      display_errors: (overridden with 1 for this page only)
>      error_reporting: 22527 (overridden with 32767 for this page only)
>      variables_order OK: GPCS.
>      PHP extensions OK. Dynamic loading is disabled.
>
>      WARNING: You have configured PHP not to allow short tags
> (short_open_tag=off). This shouldn't be a problem with SquirrelMail or any
> plugin coded coded according to the SquirrelMail Coding Guidelines, but if
> you
> experience problems with PHP code being displayed in some of the pages and
> changing setting to "on" solves the problem, please file a bug report
> against
> the failing plugin. The correct contact information is most likely to be
> found
> in the plugin documentation.
> Checking paths...
>      Data dir OK.
>      Attachment dir OK.
> Checking plugins...
>      Plugin versions...
>          squirrelspell 0.5
>          calendar ??
>      Plugins OK.
>      Themes OK.
>      Default language OK.
>      Base URL detected as: http://www.*******.com:443/squirrelmail/src
> (location
> base autodetected)
> Checking outgoing mail service....
>      SMTP server OK (220 myhost.*******.com ESMTP Postfix)
> Checking IMAP service....
> Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error
> messages:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
> failed in /srv/http/htdocs/squirrelmail/src/configtest.php on line 740
> Warning:
> fsockopen(): Failed to enable crypto in
> /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning:
> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> /srv/http/htdocs/squirrelmail/src/configtest.php on line 740
>
>      FATAL ERROR: Error connecting to IMAP server "localhost:993".Server
> error: (0)
>
>    I tarred and moved the working rev 14405 to the new server, (checked diff
>
> between the config.php files and they were the same for all practical
> purposes).
> Updated the config for the site and ran configtest.php. Exact same error
> (except
> the line number is 739 on ref 14405):
>
> Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error
> messages:
> error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify
> failed in /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739
> Warning: fsockopen(): Failed to enable crypto in
> /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 Warning:
> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739
>
>    What does this tell us? It tells us the problem is a change to either the
>
> imap server, TLS or PHP that squirrelmail isn't handling properly. That's
> the
> only thing that makes sense. If it were a change in squirrelmail, the moving
>
> 14405 over to the new server would have produces a working install. Instead
>
> 14405 experiences the same failure that 14501 does. That points directly to
> an
> update most likely in postfix (2x -> 3x) causing the issue.
>
>    In summary the working install has
>
> postfix 2.9.3-3
> dovecot 2.1.8-2
>
>    The failures are occurring with:
>
> postfix 3.0.1-1
> dovecot 2.2.18-1
>
>    Between the two, the most significant API changes that are likely at
> issue
> are those in the move from postfix 2.9.3-3 ->  postfix 3.0.1-1.
>
>    Let me know if I can send anything else.
>

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/14/2015 05:27 AM, Paul Lesniewski wrote:

>>>> TLS handshaking: SSL_accept() failed: error:14094418:SSL
>>>> >>>routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
> Sorry, I'm short on time, but I think you may need to look at
> $imap_stream_options in config/config_local.php.  Get a fresh copy of
> that file if you have an old one.  You can use $imap_stream_options to
> point it to your CA if you are using self signed certs and you can
> also turn off verify_peer if you must.
>
> Note that logging in to SquirrelMail has nothing to do with Postfix.
> SquirrelMail only talks to Postfix when sending messages, although
> it's entirely possible you'd run into the same problem with that since
> a similar change was made for the SMTP side.  For that, again, please
> see config/config_local.php and look for $smtp_stream_options
>
> Cheers,
> Paul
>

Paul,

   I went through
https://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php 
and http://php.net/manual/en/context.ssl.php.  I created a fresh
config_local.php. I updated my ca-trust-bundle by including my mail certificate
in /etc/ca-certificates/trust-source/anchors/ and ran 'update-ca-trust extract'.
I tested with various logical 'cafile' settings and turning 'verify_peer' off.
None made any difference. Same error no matter what the configuration was:

Jun 14 18:01:10 phoinix postfix/smtpd[19156]: connect from
phoinix.rlfpllc.com[127.0.0.1]
Jun 14 18:01:10 phoinix postfix/smtpd[19156]: lost connection after CONNECT from
phoinix.rlfpllc.com[127.0.0.1]
Jun 14 18:01:10 phoinix postfix/smtpd[19156]: disconnect from
phoinix.rlfpllc.com[127.0.0.1] commands=0/0
Jun 14 18:01:10 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert
number 48, session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>

   As you can see from 'session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>' the session
is started every time, but something goes south. The other question is why does
dovecot report "no auth attempts in 0 secs", huh? I'm trying... but 'user=<>'
must not qualify.

   The frustrating point is that I cannot tell where the problem is, except for
the fact that even though configured identically, the working versions use a
login like:

      'user=<david>, method=PLAIN'

The non-working attempts to use:

      'user=<>, rip=::1, lip=::1, TLS handshaking'

   In both instances squirrelmail is on the same box as the mail server with
identical postfix/dovecot configs, so theoretically both should be using PLAIN
even though the actual we connection is over https.

   Complicating the issue are changes to the ca-certificates package over the
past 6 months. However, that being so, somehow mozilla has no problem at all
using the mail server from any remote location (using my same self-signed
certificates), but squirrelmail can no longer connect to IMAP on the local machine.

   I'm usually pretty good at sorting out squirrelmail issues, but this one has
me chasing my tail in circles. When you get a break in your schedule, I could
really use your help sorting this one out. Since Archlinux is the most current
distro (packages are generally release the exact same day as the upstream
release), everyone else will generally experience this same issue whenever their
distro moves to the version causing the issue.

   I agree with you that postfix is likely not the culprit, since squirrelmail
configtest.php reports no problem connecting to smtp:

Checking outgoing mail service....
     SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)

   I think you have nailed the issue as a 'ca' problem which makes sense with
the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you
have a chance to look into this. I'm happy to do the digging.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/14/2015 07:05 PM, David C. Rankin wrote:
> Checking outgoing mail service....
>       SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>
>     I think you have nailed the issue as a 'ca' problem which makes sense with
> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you
> have a chance to look into this. I'm happy to do the digging.

I think I have made progress. It looks like the problem is with the way
squirrelmail handles the certificate check. I made several changes and how
configtest.php gives the following error:

Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match expected
CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on line
740 Warning: fsockopen(): Failed to enable crypto in
/srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
/srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740

Seeing the CN mismatch, I set config_local.php with 'verify_peer' => false:

$imap_stream_options = array(
     'ssl' => array(
         'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
         'verify_peer' => false,
         'verify_depth' => 3,
     ),
);

However, that made no difference. (*Note:* with php 5.6+ the default for
verify_peer is now 'true' -- I don't know if that prevents override in
config_local.php) Let me know when you have some time and I'm glad to help.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

Shane Thomas
It's an open source application.  I have been trying to backtrack to initial setup and get a bak or some kind of check file to backtrace the route.  They only answer every 48 hours or so.  Lol.  

Shane Thomas
IT – North Region
Denbury Resources Inc.
Office ext.   | 4529
Office          | 307.439.1879
Mobile         | 307.462.1958
Email           | [hidden email]

"This confidential e-mail is intended solely for the use of the intended recipient. Unless expressly stated otherwise in a written communication other than in electronic form, no e-mail communication shall satisfy the requirements for a writing or constitute a contract or electronic signature."

> On Jun 14, 2015, at 7:00 PM, David C. Rankin <[hidden email]> wrote:
>
>> On 06/14/2015 07:05 PM, David C. Rankin wrote:
>> Checking outgoing mail service....
>>      SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>>
>>    I think you have nailed the issue as a 'ca' problem which makes sense with
>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you
>> have a chance to look into this. I'm happy to do the digging.
>
> I think I have made progress. It looks like the problem is with the way
> squirrelmail handles the certificate check. I made several changes and how
> configtest.php gives the following error:
>
> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match expected
> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on line
> 740 Warning: fsockopen(): Failed to enable crypto in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>
> Seeing the CN mismatch, I set config_local.php with 'verify_peer' => false:
>
> $imap_stream_options = array(
>     'ssl' => array(
>         'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
>         'verify_peer' => false,
>         'verify_depth' => 3,
>     ),
> );
>
> However, that made no difference. (*Note:* with php 5.6+ the default for
> verify_peer is now 'true' -- I don't know if that prevents override in
> config_local.php) Let me know when you have some time and I'm glad to help.
>
> --
> David C. Rankin, J.D.,P.E.
>
> ------------------------------------------------------------------------------
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/14/2015 10:44 PM, Shane Thomas wrote:
> It's an open source application.  I have been trying to backtrack to initial
> setup and get a bak or some kind of check file to backtrace the route.  They
> only answer every 48 hours or so.  Lol.

Thanks, Shane,

   I know opensource, been an advocate for almost 20 years. I know Paul, worked
with him here on the list on squirrelmail issues for over a decade. I am more
than comfortable with the way it all works. The real key to opensource are those
tireless warriors that do give their time, talent and energy to creating and
managing great software. If that means it can only happen every 48 hours or so,
then that's just they way it works. (see my next post)

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[SOLVED sort of] was Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
In reply to this post by David C. Rankin
On 06/14/2015 08:00 PM, David C. Rankin wrote:

> On 06/14/2015 07:05 PM, David C. Rankin wrote:
>> Checking outgoing mail service....
>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>>
>>      I think you have nailed the issue as a 'ca' problem which makes sense with
>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when you
>> have a chance to look into this. I'm happy to do the digging.
>
> I think I have made progress. It looks like the problem is with the way
> squirrelmail handles the certificate check. I made several changes and how
> configtest.php gives the following error:
>
> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match expected
> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on line
> 740 Warning: fsockopen(): Failed to enable crypto in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>
> Seeing the CN mismatch, I set config_local.php with 'verify_peer' => false:
>
> $imap_stream_options = array(
>       'ssl' => array(
>           'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
>           'verify_peer' => false,
>           'verify_depth' => 3,
>       ),
> );
>
> However, that made no difference. (*Note:* with php 5.6+ the default for
> verify_peer is now 'true' -- I don't know if that prevents override in
> config_local.php) Let me know when you have some time and I'm glad to help.
>

   For whatever reason, and for reasons I cannot explain, squirrelmail can no
longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when your
dovecot server certificate uses a CN of *.domain.tld. For years, my server
config always looked like:

Server Settings

General
-------
1.  Domain                 : mydomain.com
2.  Invert Time            : false
3.  Sendmail or SMTP       : SMTP

A.  Update IMAP Settings   : localhost:993 (dovecot)
B.  Update SMTP Settings   : localhost:25

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

   After looking at the CN mismatch reported though configtest.php, I decided to
change my server configuration to match my server CN:

Server Settings

General
-------
1.  Domain                 : mydomain.com
2.  Invert Time            : false
3.  Sendmail or SMTP       : SMTP

A.  Update IMAP Settings   : mail.mydomain.com:993 (dovecot)
B.  Update SMTP Settings   : localhost:25

R   Return to Main Menu
C   Turn color off
S   Save data
Q   Quit

   Bingo! configtest.php worked:

Checking IMAP service....
     IMAP server ready (* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready.)
     Capabilities: * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
ENABLE IDLE AUTH=PLAIN AUTH=LOGIN
Checking internationalization (i18n) settings...
      gettext - Gettext functions are available. On some systems you must have
appropriate system locales compiled.
         Test translations. This test is not accurate and might work only on
some systems.
      mbstring - Mbstring functions are available.
      recode - Recode functions are unavailable.
      iconv - Iconv functions are unavailable.
      timezone - Webmail users can change their time zone settings. Current time
zone is CDT.

   So what was the reason? Looking at the release notes for php 5.6 listed on
http://php.net/manual/en/context.ssl.php showed:

5.6.0 Added peer_fingerprint and verify_peer_name. verify_peer default changed
to TRUE.

   While I cannot confirm with 100% certainty the change in the default was the
sole cause and that changes to ca-certificates over the past few months didn't
also contribute, it certainly seems to be the most likely candidate.

   Paul, after you look into this, if this was the sole cause, you may want to
drop a Install/Upgrade note regarding php 5.6 and the change required in server
settings.

(even better, it may be worth adding a check in the squirrelmail code that if
server setting is listed as 'localhost', make a php call to obtain the server
hostname/domain to compare against the Peer reported name before a CN mismatch
is declared -- or something similar -- may fix it)

   Hopefully this will narrow down your work a bit.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
On 06/14/2015 11:53 PM, David C. Rankin wrote:
>     Paul, after you look into this, if this was the sole cause, you may want to
> drop a Install/Upgrade note regarding php 5.6 and the change required in server
> settings.
>
> (even better, it may be worth adding a check in the squirrelmail code that if
> server setting is listed as 'localhost', make a php call to obtain the server
> hostname/domain to compare against the Peer reported name before a CN mismatch
> is declared -- or something similar -- may fix it)


   If you do look at this, it looks like a possible fix for php 5.6+ needs to be
prior to line 725 in functions/imap_general.php:

in function sqimap_create_stream:

   $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);


   The problem in my case appears to be that if 'localhost' is specified as the
imap server in config.php (as it has been for the past 5-10 years), passing
'localhost' as $server to fsockopen now causes the IMAP stream open failure
(presumably due to the new default of verify_peer=true). I seems like a
functional check of something like the following could help:

if $server equals 'localhost' {
   $servername equals hostname.dnsdomainname (or however you get this in php)
   $imap_stream = @fsockopen($servername, $port, $error_number, $error_string, 15);
} else {
   $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);
}

   It is trickier if the CN wasn't generated with the suggested '*.domain.tld'
format, but rather 'host.domain.tld'. In that case there would no way of knowing
if the 'host' part of 'host.domain.tld' returned by the 'hostname' equivalent
would match the name used as the CN in certificate generation.

   However, just adding the 'localhost' check and 'host.domain.tld' substitution
would work for every case where CN is specified in the recommended
'*.domain.tld' format. (I haven't looked at the code to see why smtp is not
effected, but it is fine)

   Another option (less desirable, but effective) would be to add a check to
config/conf.pl to check if ssl/tls, or port 993, etc... had been specified along
with 'localhost' as the hostname. In that case conf.pl could warn that the IMAP
hostname must match the mail certificate CN for authentication to succeed with
php 5.6+.

   Keep fighting the good fight!

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

David Highley
"David C. Rankin wrote:"

>
> On 06/14/2015 11:53 PM, David C. Rankin wrote:
> >     Paul, after you look into this, if this was the sole cause, you may want to
> > drop a Install/Upgrade note regarding php 5.6 and the change required in server
> > settings.
> >
> > (even better, it may be worth adding a check in the squirrelmail code that if
> > server setting is listed as 'localhost', make a php call to obtain the server
> > hostname/domain to compare against the Peer reported name before a CN mismatch
> > is declared -- or something similar -- may fix it)
>
>
>    If you do look at this, it looks like a possible fix for php 5.6+ needs to be
> prior to line 725 in functions/imap_general.php:
>
> in function sqimap_create_stream:
>
>    $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);
>
>
>    The problem in my case appears to be that if 'localhost' is specified as the
> imap server in config.php (as it has been for the past 5-10 years), passing
> 'localhost' as $server to fsockopen now causes the IMAP stream open failure
> (presumably due to the new default of verify_peer=true). I seems like a
> functional check of something like the following could help:
>
> if $server equals 'localhost' {
>    $servername equals hostname.dnsdomainname (or however you get this in php)
>    $imap_stream = @fsockopen($servername, $port, $error_number, $error_string, 15);
> } else {
>    $imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);
> }
>
>    It is trickier if the CN wasn't generated with the suggested '*.domain.tld'
> format, but rather 'host.domain.tld'. In that case there would no way of knowing
> if the 'host' part of 'host.domain.tld' returned by the 'hostname' equivalent
> would match the name used as the CN in certificate generation.
>
>    However, just adding the 'localhost' check and 'host.domain.tld' substitution
> would work for every case where CN is specified in the recommended
> '*.domain.tld' format. (I haven't looked at the code to see why smtp is not
> effected, but it is fine)
>
>    Another option (less desirable, but effective) would be to add a check to
> config/conf.pl to check if ssl/tls, or port 993, etc... had been specified along
> with 'localhost' as the hostname. In that case conf.pl could warn that the IMAP
> hostname must match the mail certificate CN for authentication to succeed with
> php 5.6+.

I'm not shure this is the whole story on why squirrelmail is not
working. We have been trying since February and Fedora 21 to get it
working again. Using squirrelmail-1.4.22-15.fc21.noarch

We have the following configuration:
Outside web server -> dovecot -> mail server using port 993

We have verified all the certificates and if we use thunderbird all
works fine. Yet squirrelmail configtest fails with:
[root@spruce ~]# firefox /usr/share/squirrelmail/src/configtest.php &
[1] 6998
[root@spruce ~]#
(firefox:6998): GLib-GObject-WARNING **: The property
GtkSettings:gtk-menu-images is deprecated and shouldn't be used anymore.
It will be removed in a future version.

(firefox:6998): GLib-GObject-WARNING **: The property
GtkSettings:gtk-button-images is deprecated and shouldn't be used
anymore. It will be removed in a future version.
PHP Warning:  date(): It is not safe to rely on the system's timezone
settings. You are *required* to use the date.timezone setting or the
date_default_timezone_set() function. In case you used any of those
methods and you are still getting this warning, you most likely
misspelled the timezone identifier. We selected the timezone 'UTC' for
now, but please set date.timezone to select your timezone. in
/usr/share/squirrelmail/src/configtest.php on line 80
PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL
Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed in /usr/share/squirrelmail/src/configtest.php on line 431
PHP Warning:  fsockopen(): Failed to enable crypto in
/usr/share/squirrelmail/src/configtest.php on line 431
PHP Warning:  fsockopen(): unable to connect to
tls://douglas.highley-recommended.com:993 (Unknown error) in
/usr/share/squirrelmail/src/configtest.php on line 431

>
>    Keep fighting the good fight!
>
> --
> David C. Rankin, J.D.,P.E.
>
> ------------------------------------------------------------------------------
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>


--

Regards,

David Highley
Highley Recommended, Inc.       Phone: (206) 669-0081
2927 SW 339th Street            WEB: http://www.highley-recommended.com
Federal Way, WA 98023-7732

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

Rich Hall




On Mon, June 15, 2015 19:59, David Highley wrote:

> "David C. Rankin wrote:"
>>
>> On 06/14/2015 11:53 PM, David C. Rankin wrote:
>> >     Paul, after you look into this, if this was the sole cause, you may want
>> to
>> > drop a Install/Upgrade note regarding php 5.6 and the change required in
>> server
>> > settings.
>> >
>> > (even better, it may be worth adding a check in the squirrelmail code that
>> if
>> > server setting is listed as 'localhost', make a php call to obtain the
>> server
>> > hostname/domain to compare against the Peer reported name before a CN
>> mismatch
>> > is declared -- or something similar -- may fix it)
>>
>>
>>    If you do look at this, it looks like a possible fix for php 5.6+ needs to
>> be
>> prior to line 725 in functions/imap_general.php:
>>
>> in function sqimap_create_stream:
>>
>>    $imap_stream = @fsockopen($server, $port, $error_number, $error_string,
>> 15);
>>
>>
>>    The problem in my case appears to be that if 'localhost' is specified as
>> the
>> imap server in config.php (as it has been for the past 5-10 years), passing
>> 'localhost' as $server to fsockopen now causes the IMAP stream open failure
>> (presumably due to the new default of verify_peer=true). I seems like a
>> functional check of something like the following could help:
>>
>> if $server equals 'localhost' {
>>    $servername equals hostname.dnsdomainname (or however you get this in php)
>>    $imap_stream = @fsockopen($servername, $port, $error_number, $error_string,
>> 15);
>> } else {
>>    $imap_stream = @fsockopen($server, $port, $error_number, $error_string,
>> 15);
>> }
>>
>>    It is trickier if the CN wasn't generated with the suggested '*.domain.tld'
>> format, but rather 'host.domain.tld'. In that case there would no way of
>> knowing
>> if the 'host' part of 'host.domain.tld' returned by the 'hostname' equivalent
>> would match the name used as the CN in certificate generation.
>>
>>    However, just adding the 'localhost' check and 'host.domain.tld'
>> substitution
>> would work for every case where CN is specified in the recommended
>> '*.domain.tld' format. (I haven't looked at the code to see why smtp is not
>> effected, but it is fine)
>>
>>    Another option (less desirable, but effective) would be to add a check to
>> config/conf.pl to check if ssl/tls, or port 993, etc... had been specified
>> along
>> with 'localhost' as the hostname. In that case conf.pl could warn that the
>> IMAP
>> hostname must match the mail certificate CN for authentication to succeed with
>> php 5.6+.
>
> I'm not shure this is the whole story on why squirrelmail is not
> working. We have been trying since February and Fedora 21 to get it
> working again. Using squirrelmail-1.4.22-15.fc21.noarch
>
> We have the following configuration:
> Outside web server -> dovecot -> mail server using port 993
>
> We have verified all the certificates and if we use thunderbird all
> works fine. Yet squirrelmail configtest fails with:
> [root@spruce ~]# firefox /usr/share/squirrelmail/src/configtest.php &
> [1] 6998
> [root@spruce ~]#
> (firefox:6998): GLib-GObject-WARNING **: The property
> GtkSettings:gtk-menu-images is deprecated and shouldn't be used anymore.
> It will be removed in a future version.
>
> (firefox:6998): GLib-GObject-WARNING **: The property
> GtkSettings:gtk-button-images is deprecated and shouldn't be used
> anymore. It will be removed in a future version.
> PHP Warning:  date(): It is not safe to rely on the system's timezone
> settings. You are *required* to use the date.timezone setting or the
> date_default_timezone_set() function. In case you used any of those
> methods and you are still getting this warning, you most likely
> misspelled the timezone identifier. We selected the timezone 'UTC' for
> now, but please set date.timezone to select your timezone. in
> /usr/share/squirrelmail/src/configtest.php on line 80
> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL
> Error messages:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed in /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning:  fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning:  fsockopen(): unable to connect to
> tls://douglas.highley-recommended.com:993 (Unknown error) in
> /usr/share/squirrelmail/src/configtest.php on line 431
>
>>
>>    Keep fighting the good fight!
>>
>> --
>> David C. Rankin, J.D.,P.E.


The GTK WARNINGS (they are NOT ERRORS at this time) are nothing to currently
worry about.. they are just a warning of FUTURE problems to come...


Set the timezone in the /etc/php.ini file as such (RHEL/CentOS/Fedora):

;;;;;;;;;;;;;;;;;;;
; Module Settings ;
;;;;;;;;;;;;;;;;;;;

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = 'America/Denver'

Restart Apache.


Do NOT use SSLv3 as it is deprecated and compromised thus making it insecure.
Use only TLS/STARTTLS authentication. Disable SSLv3 in both the SMTP (Sendmail?)
and IMAP (Dovecot?) servers.

Disble SSLv3 in /etc/dovecot/conf.d/10-ssl.conf:

# SSL ciphers to use
ssl_cipher_list = ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL:+HIGH:+MEDIUM

Disable SSLv3 by adding to /etc/mail/sendmail.mc and rerun make.

LOCAL_CONFIG
O CipherList=HIGH:RC4-SHA,RC4-MD5
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

Make sure you recompile the sendmail.mc to generate the new sendmail.cf file and
then restart your IMAP and SMTP servers.

-Rich

--
------------------------------------------------------------------------
 Rich Hall
 [hidden email]
 http://www.netlynx.us/rich/
 ham radio: kf6arx
 GPG Fingerprint: 1FE661FF5EBACE0CEC60C4CCA7DA943DD2722CC4
------------------------------------------------------------------------
 Some people are like slinkies.. Not really good for anything useful,
 but they bring a smile to your face when pushed down the stairs.
------------------------------------------------------------------------
 And remember - if it ain't broke, hit it again.


------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

David C. Rankin
In reply to this post by David Highley
On 06/15/2015 08:59 PM, David Highley wrote:

> /usr/share/squirrelmail/src/configtest.php on line 80
> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL
> Error messages:
> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
> verify failed in /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning:  fsockopen(): Failed to enable crypto in
> /usr/share/squirrelmail/src/configtest.php on line 431
> PHP Warning:  fsockopen(): unable to connect to
> tls://douglas.highley-recommended.com:993 (Unknown error) in
> /usr/share/squirrelmail/src/configtest.php on line 431

David,

   Just an outside guess. Check the number of dovecot processes currently
running on the host for any given user. (with imap access via desktop, laptop,
tablet, iphone each can open 2+ session which easily exceed the default 10
allowed) On all my dovecot installs, I've had to increase the number of
simultaneous connections to 30. Otherwise, dovecot just refuses to allow a
connection giving an ("Unknown error").

   To increase the max allowed connections, edit /etc/dovecot/dovecot.conf and
add the following:

protocol imap {
   mail_max_userip_connections = 30
}

   I've been bitten by this more than once -- I don't have excess hair to pull
out anymore...

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

Paul Lesniewski
In reply to this post by David C. Rankin
On 6/14/15, David C. Rankin <[hidden email]> wrote:

> On 06/14/2015 05:27 AM, Paul Lesniewski wrote:
>>>>> TLS handshaking: SSL_accept() failed: error:14094418:SSL
>>>>> >>>routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number
>>>>> >>> 48
>> Sorry, I'm short on time, but I think you may need to look at
>> $imap_stream_options in config/config_local.php.  Get a fresh copy of
>> that file if you have an old one.  You can use $imap_stream_options to
>> point it to your CA if you are using self signed certs and you can
>> also turn off verify_peer if you must.
>>
>> Note that logging in to SquirrelMail has nothing to do with Postfix.
>> SquirrelMail only talks to Postfix when sending messages, although
>> it's entirely possible you'd run into the same problem with that since
>> a similar change was made for the SMTP side.  For that, again, please
>> see config/config_local.php and look for $smtp_stream_options
>>
>> Cheers,
>> Paul
>>
>
> Paul,
>
>    I went through
> https://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php
>
> and http://php.net/manual/en/context.ssl.php.  I created a fresh
> config_local.php. I updated my ca-trust-bundle by including my mail
> certificate
> in /etc/ca-certificates/trust-source/anchors/ and ran 'update-ca-trust
> extract'.
> I tested with various logical 'cafile' settings and turning 'verify_peer'
> off.
> None made any difference. Same error no matter what the configuration was:
>
> Jun 14 18:01:10 phoinix postfix/smtpd[19156]: connect from
> phoinix.rlfpllc.com[127.0.0.1]
> Jun 14 18:01:10 phoinix postfix/smtpd[19156]: lost connection after CONNECT
> from
> phoinix.rlfpllc.com[127.0.0.1]
> Jun 14 18:01:10 phoinix postfix/smtpd[19156]: disconnect from
> phoinix.rlfpllc.com[127.0.0.1] commands=0/0
> Jun 14 18:01:10 phoinix dovecot[469]: imap-login: Disconnected (no auth
> attempts
> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
>
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL
> alert
> number 48, session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>

Note that this is a dovecot log event.  *Dovecot* is complaining about
the CA.  Not SquirrelMail.

>    As you can see from 'session=<fk80UYIYyQAAAAAAAAAAAAAAAAAAAAAB>' the
> session
> is started every time, but something goes south. The other question is why
> does
> dovecot report "no auth attempts in 0 secs", huh? I'm trying... but
> 'user=<>'
> must not qualify.

No process is going to be able to authenticate if the SSL handshake failed.

>    The frustrating point is that I cannot tell where the problem is, except
> for
> the fact that even though configured identically, the working versions use a
>
> login like:
>
>       'user=<david>, method=PLAIN'
>
> The non-working attempts to use:
>
>       'user=<>, rip=::1, lip=::1, TLS handshaking'
>
>    In both instances squirrelmail is on the same box as the mail server with

So why are you using TLS if the traffic never leaves the machine?

> identical postfix/dovecot configs, so theoretically both should be using
> PLAIN
> even though the actual we connection is over https.
>
>    Complicating the issue are changes to the ca-certificates package over
> the
> past 6 months. However, that being so, somehow mozilla has no problem at all
>
> using the mail server from any remote location (using my same self-signed
> certificates), but squirrelmail can no longer connect to IMAP on the local
> machine.
>
>    I'm usually pretty good at sorting out squirrelmail issues, but this one

It's not SquirrelMail per se.  It's PHP and Dovecot and your SSL/TLS
settings for both.

> has
> me chasing my tail in circles. When you get a break in your schedule, I
> could
> really use your help sorting this one out. Since Archlinux is the most
> current
> distro (packages are generally release the exact same day as the upstream
> release), everyone else will generally experience this same issue whenever
> their
> distro moves to the version causing the issue.
>
>    I agree with you that postfix is likely not the culprit, since
> squirrelmail
> configtest.php reports no problem connecting to smtp:

For testing with configtest.php, please update your snapshot or use this patch:

http://sourceforge.net/p/squirrelmail/code/14502/

> Checking outgoing mail service....
>      SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>
>    I think you have nailed the issue as a 'ca' problem which makes sense
> with
> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know when
> you
> have a chance to look into this. I'm happy to do the digging.
>
> --
> David C. Rankin, J.D.,P.E.
>


--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

Paul Lesniewski
In reply to this post by David C. Rankin
On 6/14/15, David C. Rankin <[hidden email]> wrote:

> On 06/14/2015 08:00 PM, David C. Rankin wrote:
>> On 06/14/2015 07:05 PM, David C. Rankin wrote:
>>> Checking outgoing mail service....
>>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>>>
>>>      I think you have nailed the issue as a 'ca' problem which makes
>>> sense with
>>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know
>>> when you
>>> have a chance to look into this. I'm happy to do the digging.
>>
>> I think I have made progress. It looks like the problem is with the way
>> squirrelmail handles the certificate check. I made several changes and
>> how
>> configtest.php gives the following error:
>>
>> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match
>> expected
>> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on
>> line
>> 740 Warning: fsockopen(): Failed to enable crypto in
>> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
>> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
>> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>>
>> Seeing the CN mismatch, I set config_local.php with 'verify_peer' =>
>> false:
>>
>> $imap_stream_options = array(
>>       'ssl' => array(
>>           'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
>>           'verify_peer' => false,
>>           'verify_depth' => 3,
>>       ),
>> );
>>
>> However, that made no difference. (*Note:* with php 5.6+ the default for
>> verify_peer is now 'true' -- I don't know if that prevents override in
>> config_local.php) Let me know when you have some time and I'm glad to
>> help.
>>
>
>    For whatever reason, and for reasons I cannot explain, squirrelmail can
> no
> longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when

SquirrelMail accepts any hostname it is given.  It's not a matter of
what SquirrelMail can and cannot accept.  It's purely a configuration
mismatch with your PHP and Dovecot SSL settings and the certificates
you are using (and their CA).  There is no SquirrelMail "fix" for
this.  If verify_peer is enabled, then you need to have your ducks in
a row in terms of the things you've been seeing: CA needs to be known,
CN needs to match, etc.


--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

Paul Lesniewski
In reply to this post by David C. Rankin
On 6/16/15, David C. Rankin <[hidden email]> wrote:
> On 06/15/2015 08:59 PM, David Highley wrote:
>> /usr/share/squirrelmail/src/configtest.php on line 80
>> PHP Warning:  fsockopen(): SSL operation failed with code 1. OpenSSL
>> Error messages:
>> error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
>> verify failed in /usr/share/squirrelmail/src/configtest.php on line 431

Seeing as the error is pretty clear, did you try to address this
issue?  Have you tuned $imap_stream_options in
config/config_local.php?

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

David C. Rankin
In reply to this post by Paul Lesniewski
On 06/16/2015 05:20 PM, Paul Lesniewski wrote:

>>     For whatever reason, and for reasons I cannot explain, squirrelmail can
>> >no
>> >longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when
> SquirrelMail accepts any hostname it is given.  It's not a matter of
> what SquirrelMail can and cannot accept.  It's purely a configuration
> mismatch with your PHP and Dovecot SSL settings and the certificates
> you are using (and their CA).  There is no SquirrelMail "fix" for
> this.  If verify_peer is enabled, then you need to have your ducks in
> a row in terms of the things you've been seeing: CA needs to be known,
> CN needs to match, etc.
>

Well, yes and no, but it is a change (god knows I have no idea how long ago it
may have been, a decade?), but the recommended server setup when running
squirrelmail on the same host as the mailhost was to use 'localhost' as the
server name. This continued to work, even with certificates, until the
verify_peer default changed with php 5.6 for me.

I agree 100% with the ducks in the row logic, but the surprise was going from
working to non-working squirrelmail config due to the peer verification.

The crux of the issue being that for most, the finer points of certificate
authentication/peer verification, etc. are not daily topics of conversation. So
when these things change, there's more than a few minutes of refreshing required
to get on top of the issue again.

I can report that after stumbling though the exercise, squirrelmail is happily
gathering nuts again.

Great package. Keep up the great work!

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

David Highley
In reply to this post by David C. Rankin
Forwarded message:

> From [hidden email]  Tue Jun 16 15:23:03 2015
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> douglas.highley-recommended.com
> X-Spam-Level:
> X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,
> HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
> RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD,URI_NOVOWEL
> autolearn=ham autolearn_force=no version=3.4.1
> Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
> designates 209.85.223.178 as permitted sender)
> client-ip=209.85.223.178; envelope-from=[hidden email];
> helo=mail-ie0-f178.google.com;
> MIME-Version: 1.0
> X-Received: by 10.107.47.26 with SMTP id j26mr3605774ioo.17.1434493235169;
> Tue, 16 Jun 2015 15:20:35 -0700 (PDT)
> In-Reply-To: <[hidden email]>
> References: <[hidden email]>
> <[hidden email]>
> <[hidden email]>
> <[hidden email]>
> <[hidden email]>
> <[hidden email]>
> <[hidden email]>
> Date: Tue, 16 Jun 2015 15:20:35 -0700
> X-Google-Sender-Auth: hKjg5Rm-1yt9Ix3lpQ8VKu1rM88
> Message-ID: <[hidden email]>
> From: Paul Lesniewski <[hidden email]>
> To: Squirrelmail User Support Mailing List
> <[hidden email]>
> X-Headers-End: 1Z4zDk-0007IS-ER
> Subject: Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS
>  handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert
>  number 48
> X-BeenThere: [hidden email]
> X-Mailman-Version: 2.1.9
> Precedence: list
> Reply-To: [hidden email],
>         Squirrelmail User Support Mailing List
> <[hidden email]>
> List-Id: Squirrelmail User Support Mailing List
> <squirrelmail-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> <mailto:[hidden email]?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=squirrelmail-users>
> List-Post: <mailto:[hidden email]>
> List-Help: <mailto:[hidden email]?subject=help>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> <mailto:[hidden email]?subject=subscribe>
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: [hidden email]
>
> On 6/14/15, David C. Rankin <[hidden email]> wrote:
> > On 06/14/2015 08:00 PM, David C. Rankin wrote:
> >> On 06/14/2015 07:05 PM, David C. Rankin wrote:
> >>> Checking outgoing mail service....
> >>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
> >>>
> >>>      I think you have nailed the issue as a 'ca' problem which makes
> >>> sense with
> >>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know
> >>> when you
> >>> have a chance to look into this. I'm happy to do the digging.
> >>
> >> I think I have made progress. It looks like the problem is with the way
> >> squirrelmail handles the certificate check. I made several changes and
> >> how
> >> configtest.php gives the following error:
> >>
> >> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match
> >> expected
> >> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on
> >> line
> >> 740 Warning: fsockopen(): Failed to enable crypto in
> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
> >> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
> >>
> >> Seeing the CN mismatch, I set config_local.php with 'verify_peer' =>
> >> false:
> >>
> >> $imap_stream_options = array(
> >>       'ssl' => array(
> >>           'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
> >>           'verify_peer' => false,
> >>           'verify_depth' => 3,
> >>       ),
> >> );
> >>
> >> However, that made no difference. (*Note:* with php 5.6+ the default for
> >> verify_peer is now 'true' -- I don't know if that prevents override in
> >> config_local.php) Let me know when you have some time and I'm glad to
> >> help.
> >>
> >
> >    For whatever reason, and for reasons I cannot explain, squirrelmail can
> > no
> > longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when
>
> SquirrelMail accepts any hostname it is given.  It's not a matter of
> what SquirrelMail can and cannot accept.  It's purely a configuration
> mismatch with your PHP and Dovecot SSL settings and the certificates
> you are using (and their CA).  There is no SquirrelMail "fix" for
> this.  If verify_peer is enabled, then you need to have your ducks in
> a row in terms of the things you've been seeing: CA needs to be known,
> CN needs to match, etc.

First of all why is it only squirrelmail that is confused. In our case
there are two hosts involved in this not just the localhost so how is
squirrelmail going to verify beyond the normal ssl process? How would it
be able to see a CA file that is not on the host it is running on.

Another missed concept is the practice of using DNS CNAME aliases for a
host, like mail.domain.com, so that things are not hardcoded all over
the place and you can move functionality around without going to n
places to change hardcoding. In that case the host provide is not in the
ssl cert.

>
>
> --
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
>
> ------------------------------------------------------------------------------
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: [hidden email]
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
>

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

David C. Rankin
On 06/16/2015 09:44 PM, David Highley wrote:
> Another missed concept is the practice of using DNS CNAME aliases for a
> host, like mail.domain.com, so that things are not hardcoded all over
> the place and you can move functionality around without going to n
> places to change hardcoding. In that case the host provide is not in the
> ssl cert.

A few years back the certificate CN recommendation changed for cert generation from:

     'host.domain.tld'

to

     '*.domain.tld'


This was intended to allow additional flexibility. I know I've made use of that
format for at least the last 2-3 years of certificate generation. peer
verification in php will deal with the wildcard properly allowing the normal
CNames for a host. (e.g. hostname, ftp, mail, www, etc..). This recommendation
applies to both server certificates (httpd, etc.) and mail certificates.

I don't know if it will help with your setup, but it does help keep you from
being locked into a specific cert CN.

--
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

Paul Lesniewski
In reply to this post by David C. Rankin
On 6/16/15, David C. Rankin <[hidden email]> wrote:

> On 06/16/2015 05:20 PM, Paul Lesniewski wrote:
>>>     For whatever reason, and for reasons I cannot explain, squirrelmail
>>> can
>>> >no
>>> >longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl)
>>> > when
>> SquirrelMail accepts any hostname it is given.  It's not a matter of
>> what SquirrelMail can and cannot accept.  It's purely a configuration
>> mismatch with your PHP and Dovecot SSL settings and the certificates
>> you are using (and their CA).  There is no SquirrelMail "fix" for
>> this.  If verify_peer is enabled, then you need to have your ducks in
>> a row in terms of the things you've been seeing: CA needs to be known,
>> CN needs to match, etc.
>>
>
> Well, yes and no, but it is a change (god knows I have no idea how long ago
> it
> may have been, a decade?), but the recommended server setup when running
> squirrelmail on the same host as the mailhost was to use 'localhost' as the

I've never heard anyone make such a recommendation, and doing so
without any context certainly wouldn't be smart.

> Great package. Keep up the great work!

Thank you.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
12
Loading...