On 06/12/2015 07:02 PM, David C. Rankin wrote: > Paul, > > After 1.5.2 update to svn 14501, I can no longer log in to squirrelmail. I > have used the same squirrelmail setup for at least the last 6-8 years. The <snip> > All operation through Thunderbird (sending/receiving) works fine with the new > certificates, so the server isn't the issue -- it's squirrelmail. Attempted > login via squirrelmail still fails: > > Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts > in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed: > error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert > number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB> > > Strange? The error has changed from: > > TLS handshaking: SSL_accept() failed: error:14094415:SSL > routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45 > > to > > TLS handshaking: SSL_accept() failed: error:14094418:SSL > routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48 > > So something in squirrelmail isn't handling the TLS handshaking: SSL_accept() > quite like it used to. > Paul, I have a second site that is still at 1.5.2 svn rev 14405 that continues to work (same Archlinux setup - not quite as current). Looking at the log entries for a successful login with rev 14405, I see: Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN, rip=::1, lip=::1, mpid=1359, TLS, session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB> Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out in=60 out=783 Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN, rip=::1, lip=::1, mpid=1361, TLS, session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB> Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out in=126 out=3025 Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN, rip=::1, lip=::1, mpid=1363, TLS, session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB> Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out in=340 out=24924 Comparing the failing login with rev 14501 and the working login with rev 14405, the immediate difference is the use of 'user=<david>, method=PLAIN' instead of the 'user=<>, rip=::1, lip=::1, TLS handshaking' I'm not sure what in squirrelmail controls what method the server uses, but this seems to be the immediate cause behind the failed login with rev 14501. On the updated site, a successful dovecot login from thunderbird looks like the following: Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>, method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS, session=<wLVq0FsYMwDAqAcQ> Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged out in=39 out=751 Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>, method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS, session=<ewaM0FsYNADAqAcQ> Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged out in=41 out=719 In both instances (successful login on old rev 14405) and login through thunderbird on the updated server, since all services (postfix, dovecot, etc.) are all running on the local machine, the login with method=PLAIN, works fine, but whatever/however rev 14501 is attempting the login -- it is failing. Let me know how else I can help, what additional tests you need to see, etc... and I'll be happy to run them for you and submit the results. Thanks. -- David C. Rankin, J.D.,P.E. ------------------------------------------------------------------------------ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users