Quantcast

svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

classic Classic list List threaded Threaded
25 messages Options
12
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

Paul Lesniewski
On 6/16/15, David Highley <[hidden email]> wrote:

> Forwarded message:
>> From [hidden email]  Tue Jun 16 15:23:03
>> 2015
>> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
>> douglas.highley-recommended.com
>> X-Spam-Level:
>> X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,
>> HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
>> RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD,URI_NOVOWEL
>> autolearn=ham autolearn_force=no version=3.4.1
>> Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
>> designates 209.85.223.178 as permitted sender)
>> client-ip=209.85.223.178; envelope-from=[hidden email];
>> helo=mail-ie0-f178.google.com;
>> MIME-Version: 1.0
>> X-Received: by 10.107.47.26 with SMTP id
>> j26mr3605774ioo.17.1434493235169;
>> Tue, 16 Jun 2015 15:20:35 -0700 (PDT)
>> In-Reply-To: <[hidden email]>
>> References: <[hidden email]>
>> <[hidden email]>
>> <[hidden email]>
>> <[hidden email]>
>> <[hidden email]>
>> <[hidden email]>
>> <[hidden email]>
>> Date: Tue, 16 Jun 2015 15:20:35 -0700
>> X-Google-Sender-Auth: hKjg5Rm-1yt9Ix3lpQ8VKu1rM88
>> Message-ID:
>> <[hidden email]>
>> From: Paul Lesniewski <[hidden email]>
>> To: Squirrelmail User Support Mailing List
>> <[hidden email]>
>> X-Headers-End: 1Z4zDk-0007IS-ER
>> Subject: Re: [SM-USERS] [SOLVED sort of] was Re: svn 14501 - TLS
>>  handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert
>>  number 48
>> X-BeenThere: [hidden email]
>> X-Mailman-Version: 2.1.9
>> Precedence: list
>> Reply-To: [hidden email],
>>         Squirrelmail User Support Mailing List
>> <[hidden email]>
>> List-Id: Squirrelmail User Support Mailing List
>> <squirrelmail-users.lists.sourceforge.net>
>> List-Unsubscribe:
>> <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
>> <mailto:[hidden email]?subject=unsubscribe>
>> List-Archive:
>> <http://sourceforge.net/mailarchive/forum.php?forum_name=squirrelmail-users>
>> List-Post: <mailto:[hidden email]>
>> List-Help:
>> <mailto:[hidden email]?subject=help>
>> List-Subscribe:
>> <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
>> <mailto:[hidden email]?subject=subscribe>
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> Errors-To: [hidden email]
>>
>> On 6/14/15, David C. Rankin <[hidden email]> wrote:
>> > On 06/14/2015 08:00 PM, David C. Rankin wrote:
>> >> On 06/14/2015 07:05 PM, David C. Rankin wrote:
>> >>> Checking outgoing mail service....
>> >>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
>> >>>
>> >>>      I think you have nailed the issue as a 'ca' problem which makes
>> >>> sense with
>> >>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know
>> >>> when you
>> >>> have a chance to look into this. I'm happy to do the digging.
>> >>
>> >> I think I have made progress. It looks like the problem is with the
>> >> way
>> >> squirrelmail handles the certificate check. I made several changes and
>> >> how
>> >> configtest.php gives the following error:
>> >>
>> >> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not
>> >> match
>> >> expected
>> >> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php
>> >> on
>> >> line
>> >> 740 Warning: fsockopen(): Failed to enable crypto in
>> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>> >> Warning:
>> >> fsockopen(): unable to connect to tls://localhost:993 (Unknown error)
>> >> in
>> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
>> >>
>> >> Seeing the CN mismatch, I set config_local.php with 'verify_peer' =>
>> >> false:
>> >>
>> >> $imap_stream_options = array(
>> >>       'ssl' => array(
>> >>           'cafile' =>
>> >> '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
>> >>           'verify_peer' => false,
>> >>           'verify_depth' => 3,
>> >>       ),
>> >> );
>> >>
>> >> However, that made no difference. (*Note:* with php 5.6+ the default
>> >> for
>> >> verify_peer is now 'true' -- I don't know if that prevents override in
>> >> config_local.php) Let me know when you have some time and I'm glad to
>> >> help.
>> >>
>> >
>> >    For whatever reason, and for reasons I cannot explain, squirrelmail
>> > can
>> > no
>> > longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl)
>> > when
>>
>> SquirrelMail accepts any hostname it is given.  It's not a matter of
>> what SquirrelMail can and cannot accept.  It's purely a configuration
>> mismatch with your PHP and Dovecot SSL settings and the certificates
>> you are using (and their CA).  There is no SquirrelMail "fix" for
>> this.  If verify_peer is enabled, then you need to have your ducks in
>> a row in terms of the things you've been seeing: CA needs to be known,
>> CN needs to match, etc.
>
> First of all why is it only squirrelmail that is confused. In our case
> there are two hosts involved in this not just the localhost so how is
> squirrelmail going to verify beyond the normal ssl process? How would it
> be able to see a CA file that is not on the host it is running on.

SquirrelMail is not confused about anything.  Apparently you have
misconfigured your PHP SSL settings and/or the ones on your IMAP
server.  A CA can be used to sign more than one certificate and is not
restricted to any one server.  If you don't understand how certificate
generation and signing works, you should do more research and learning
or perhaps avoid using self-signed certs.

> Another missed concept is the practice of using DNS CNAME aliases for a
> host, like mail.domain.com, so that things are not hardcoded all over
> the place and you can move functionality around without going to n
> places to change hardcoding. In that case the host provide is not in the
> ssl cert.

Nothing has to be hard coded. You have some knowledge gaps that need
to be filled, after which your journey to correct your SSL
configuration will become easier.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

igor_123
This post was updated on .
Dear Paul,

sorry to bring this [Solved] topic to surface again. After installing Fedora 25 (from scratch) I have the same problem ("unknown ca"). I have been using squirrelmail for many years with "localhost" as imap server name. This does not work anymore. Looking in the internet, I found this thread which is the most informative among all I found before. However, in my case the David's recipe - to replace "localhost" by a fully qualified host name does not work...

My certificates are self-signed.

The package versions are:

postfix-3.1.3-2.fc25.x86_64
dovecot-2.2.26.0-1.fc25.x86_64
php-7.0.14-1.fc25.x86_64
squirrelmail-1.4.22-17.fc24.noarch

The squirrelmail imap-related config page is:

IMAP Settings
--------------
4.  IMAP Server            : uranus.sai.msu.ru
5.  IMAP Port              : 993
6.  Authentication type    : login
7.  Secure IMAP (TLS)      : true
8.  Server software        : dovecot
9.  Delimiter              : detect

B.  Update SMTP Settings   : localhost:25

the configtest page of squirrelmail returns

Checking IMAP service....

    ERROR: Error connecting to IMAP server "uranus.sai.msu.ru:993".Server error: (0)

The relevant maillog lines are:

Dec 16 17:23:01 uranus postfix/smtpd[7867]: connect from localhost[::1]
Dec 16 17:23:01 uranus postfix/smtpd[7867]: lost connection after CONNECT from localhost[::1]
Dec 16 17:23:01 uranus postfix/smtpd[7867]: disconnect from localhost[::1] commands=0/0
Dec 16 17:23:01 uranus dovecot: imap-login: Disconnected (no auth attempts in 0 secs):
user=<>, rip=93.180.26.5, lip=93.180.26.5, TLS handshaking: SSL_accept() failed:
error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48,
session=<8mavTsdDQtldtBoF>

The relevant config lines:

postfix main.cf

smtpd_tls_security_level = may
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_CAfile = /etc/postfix/smtpd.cert
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

dovecot 10-ssl.conf:

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_ca = </etc/postfix/smtpd.cert

Printing out the contents of smtpd.cert confirms that CN=uranus.sai.msu.ru

To be able to check php ssl connection from command line, I added the line to php.ini:

openssl.cafile= /etc/postfix/smtpd.cert

After that, issuing the command (which is run from squirrelmail)

echo 'fsockopen("tls://uranus.sai.msu.ru",993,$errno,$errmsg,15);'|php -a

returns "Interactive shell" which is ok and means that PHP correctly identifies CA. Thunderbird also works flawlessy. It is only squirrelmail which is having the problem.

Adding these lines to squirrelmail's config_local.php

$imap_stream_options = array(
     'ssl' => array(
         'cafile' => '/etc/postfix/smtpd.cert',
         'verify_peer' => false,
         'verify_depth' => 1,
     ),
);

does not change anything.

I understand that if squirrelmail and imap server are on the same host, I can safely use plain authentification. Still, I am wondering why the apparently correct setup with TLS does not work. Any advice?

Thank you,
Igor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

Paul Lesniewski


On 2016年12月16日 22:52, igor_123 wrote:

> Dear Paul,
>
> sorry to bring this [Solved] topic to surface again. After installing Fedora
> 25 (from scratch) I have the same problem ("unknown ca"). I have been using
> squirrelmail for many years with "localhost" as imap server name. This does
> not work anymore. Looking in the internet, I found this thread which is the
> most informative among all I found before. However, in my case the David's
> recipe - to replace "localhost" by a fully qualified host name does not
> work...
>
> The package versions are:
>
> postfix-3.1.3-2.fc25.x86_64
> dovecot-2.2.26.0-1.fc25.x86_64
> php-7.0.14-1.fc25.x86_64
> squirrelmail-1.4.22-17.fc24.noarch
>
> The squirrelmail imap-related config page is:
>
> IMAP Settings
> --------------
> 4.  IMAP Server            : uranus.sai.msu.ru
> 5.  IMAP Port              : 993
> 6.  Authentication type    : login
> 7.  Secure IMAP (TLS)      : true
> 8.  Server software        : dovecot
> 9.  Delimiter              : detect
>
> B.  Update SMTP Settings   : localhost:25

Port 25?

> the configtest page of squirrelmail returns
>
> Checking IMAP service....
>
>     ERROR: Error connecting to IMAP server "uranus.sai.msu.ru:993".Server
> error: (0)
>
> The relevant maillog lines are:
>
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: connect from localhost[::1]
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: lost connection after CONNECT
> from localhost[::1]
> Dec 16 17:23:01 uranus postfix/smtpd[7867]: disconnect from localhost[::1]
> commands=0/0
> Dec 16 17:23:01 uranus dovecot: imap-login: Disconnected (no auth attempts
> in 0 secs):
> user=<>, rip=93.180.26.5, lip=93.180.26.5, TLS handshaking: SSL_accept()
> failed:
> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL
> alert number 48,
> session=<8mavTsdDQtldtBoF>
>
> The relevant config lines:
>
> postfix main.cf
>
> smtpd_tls_security_level = may
> smtpd_use_tls = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_key_file = /etc/postfix/smtpd.key
> smtpd_tls_cert_file = /etc/postfix/smtpd.cert
> smtpd_tls_CAfile = /etc/postfix/smtpd.cert
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s

If you're asking about TLS to IMAP, SMTP settings are not relevant.

> dovecot 10-ssl.conf:
>
> ssl_cert = </etc/postfix/smtpd.cert
> ssl_key = &lt;/etc/postfix/smtpd.key
> ssl_ca = &lt;/etc/postfix/smtpd.cert
>
> Printing out the contents of smtpd.cert confirms that CN=uranus.sai.msu.ru

But is the CA available (to SM) and known?

> To be able to check php ssl connection from command line, I added the line
> to php.ini:
>
> openssl.cafile= /etc/postfix/smtpd.cert
>
> After that, issuing the command (which is run from squirrelmail)
>
> echo
> 'fsockopen(&quot;tls://uranus.sai.msu.ru&quot;,993,$errno,$errmsg,15);'|php
> -a
>
> returns &quot;Interactive shell&quot; which is ok and means that PHP
> correctly identifies CA. Thunderbird also works flawlessy. It is only
> squirrelmail which is having the problem.

Thunderbird is presumably connecting from outside the host.

> Adding these lines to squirrelmail's config_local.php
>
> $imap_stream_options = array(
>      'ssl' => array(
>          'cafile' => '/etc/postfix/smtpd.cert',

That does not look like a CA cert path to me.

>          'verify_peer' => false,
>          'verify_depth' => 1,
>      ),
> );
>
> does not change anything.

Did you verify if those are being used in the code?  The solution might
be as simple as using a 1.4.23-SVN snapshot from our downloads page.
I'd try that before anything else.

> I understand that if squirrelmail and imap server are on the same host, I
> can safely use plain authentification. Still, I am wondering why the
> apparently correct setup with TLS does not work. Any advice?


--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

igor_123
Paul, thanks for your answer.

Paul Lesniewski wrote
> B.  Update SMTP Settings   : localhost:25

Port 25?
Yes. As you say, smtp settings are irreIevant to  imap tls ones. Also, I see no problem with this port. In my smtp setup, tls is used for communications of a client with smtpd.

Paul Lesniewski wrote
...
> Printing out the contents of smtpd.cert confirms that CN=uranus.sai.msu.ru

But is the CA available (to SM) and known?
How do I check the availability of CA to SM? Known to whom? As I said, my certificate/key pair is self-signed and simple (without chains). The cert file is smtpd.cert, the key is smtpd.key.

Paul Lesniewski wrote
> Adding these lines to squirrelmail's config_local.php
>
> $imap_stream_options = array(
>      'ssl' => array(
>          'cafile' => '/etc/postfix/smtpd.cert',

That does not look like a CA cert path to me.
Yes, the path is non-standart, this is a testing environment. Still should be not a problem since the path is provided in dovecot config.

Paul Lesniewski wrote
>          'verify_peer' => false,
>          'verify_depth' => 1,
>      ),
> );
>
> does not change anything.

Did you verify if those are being used in the code?
No. I assumed that if including these lines was your recommendation to David, SM should use them.

Paul Lesniewski wrote
  The solution might
be as simple as using a 1.4.23-SVN snapshot from our downloads page.
I'd try that before anything else.
I will. Although, honestly, I would prefer to use the SM package from the official repository. I have to implement it in several servers and managing all them manually is too much trouble...

Thanks again for your comments,
Igor
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [SOLVED sort of] was Re: svn 14501 - TLS

Paul Lesniewski


On 2016年12月18日 23:59, igor_123 wrote:

> Paul, thanks for your answer.
>
>
> Paul Lesniewski wrote
>>> B.  Update SMTP Settings   : localhost:25
>>
>> Port 25?
>
> Yes. As you say, smtp settings are irreIevant to  imap tls ones. Also, I see
> no problem with this port. In my smtp setup, tls is used for communications
> of a client with smtpd.

It's OT, but it's not usually a good idea to mix inbound untrusted
traffic with outbound trusted.  Among other things, it makes applying
good policies more difficult/convoluted.

>> ...
>>> Printing out the contents of smtpd.cert confirms that
>>> CN=uranus.sai.msu.ru
>>
>> But is the CA available (to SM) and known?
>
> How do I check the availability of CA to SM? Known to whom? As I said, my
> certificate/key pair is self-signed and simple (without chains). The cert
> file is smtpd.cert, the key is smtpd.key.

Even though it's self-signed, it's still signed.  The CA is whatever you
signed it with, however I think if you set verify_peer you should be
turning that verification off.

>>> Adding these lines to squirrelmail's config_local.php
>>>
>>> $imap_stream_options = array(
>>>      'ssl' => array(
>>>          'cafile' => '/etc/postfix/smtpd.cert',
>>
>> That does not look like a CA cert path to me.
>
> Yes, the path is non-standart, this is a testing environment. Still should
> be not a problem since the path is provided in dovecot config.

No, the point is that that cert may not be your CA.

> Paul Lesniewski wrote
>>>          'verify_peer' => false,
>>>          'verify_depth' => 1,
>>>      ),
>>> );
>>>
>>> does not change anything.
>>
>> Did you verify if those are being used in the code?
>
> No. I assumed that if including these lines was your recommendation to
> David, SM should use them.

You can only make such assumptions if you're running the newest version
of SM from our website.  I don't know what patches RedHat is putting in
their packages of SM.  At a minimum, test it with the latest SM code,
and if that works, then you know where the problem is.

> Paul Lesniewski wrote
>>   The solution might
>> be as simple as using a 1.4.23-SVN snapshot from our downloads page.
>> I'd try that before anything else.
>
> I will. Although, honestly, I would prefer to use the SM package from the
> official repository. I have to implement it in several servers and managing
> all them manually is too much trouble...

Then you should take your query to the package maintainer; we can't help
you with other people's repackaging/old versions.

--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: [hidden email]
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
12
Loading...