Re: svn 14501 - TLS handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert number 48

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/13/2015 12:11 AM, David C. Rankin wrote:
> On 06/12/2015 07:02 PM, David C. Rankin wrote:
>> Paul,
>>
>>      After 1.5.2 update to svn 14501, I can no longer log in to squirrelmail. I
>> have used the same squirrelmail setup for at least the last 6-8 years. The
>
> <snip>
>
>>      All operation through Thunderbird (sending/receiving) works fine with the new
>> certificates, so the server isn't the issue -- it's squirrelmail. Attempted
>> login via squirrelmail still fails:
>>
>> Jun 12 18:32:06 phoinix dovecot[469]: imap-login: Disconnected (no auth attempts
>> in 0 secs): user=<>, rip=::1, lip=::1, TLS handshaking: SSL_accept() failed:
>> error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert
>> number 48, session=<rM0jhFoYnAAAAAAAAAAAAAAAAAAAAAAB>
>>
>>      Strange? The error has changed from:
>>
>> TLS handshaking: SSL_accept() failed: error:14094415:SSL
>> routines:ssl3_read_bytes:sslv3 alert certificate expired: SSL alert number 45
>>
>>      to
>>
>> TLS handshaking: SSL_accept() failed: error:14094418:SSL
>> routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48
>>
>>      So something in squirrelmail isn't handling the TLS handshaking: SSL_accept()
>> quite like it used to.
>>
>
> Paul,
>
>     I have a second site that is still at 1.5.2 svn rev 14405 that continues to
> work (same Archlinux setup - not quite as current). Looking at the log entries
> for a successful login with rev 14405, I see:
>
> Jun 12 23:41:07 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1359, TLS, session=<yo9G1V4YvQAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:07 nirvana dovecot: imap(david): Disconnected: Logged out in=60 out=783
> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1361, TLS, session=<NtpO1V4YvgAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:08 nirvana dovecot: imap(david): Disconnected: Logged out in=126
> out=3025
> Jun 12 23:41:08 nirvana dovecot: imap-login: Login: user=<david>, method=PLAIN,
> rip=::1, lip=::1, mpid=1363, TLS, session=<qn9U1V4YvwAAAAAAAAAAAAAAAAAAAAAB>
> Jun 12 23:41:09 nirvana dovecot: imap(david): Disconnected: Logged out in=340
> out=24924
>
>     Comparing the failing login with rev 14501 and the working login with rev
> 14405, the immediate difference is the use of
>
>     'user=<david>, method=PLAIN'
>
> instead of the
>
>     'user=<>, rip=::1, lip=::1, TLS handshaking'
>
>     I'm not sure what in squirrelmail controls what method the server uses, but
> this seems to be the immediate cause behind the failed login with rev 14501.
>
>     On the updated site, a successful dovecot login from thunderbird looks like
> the following:
>
> Jun 12 20:05:01 phoinix dovecot[469]: imap-login: Login: user=<david>,
> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2609, TLS,
> session=<wLVq0FsYMwDAqAcQ>
> Jun 12 20:05:01 phoinix dovecot[469]: imap(david): Disconnected: Logged out
> in=39 out=751
> Jun 12 20:05:03 phoinix dovecot[469]: imap-login: Login: user=<david>,
> method=PLAIN, rip=192.168.7.16, lip=192.168.7.16, mpid=2615, TLS,
> session=<ewaM0FsYNADAqAcQ>
> Jun 12 20:05:03 phoinix dovecot[469]: imap(david): Disconnected: Logged out
> in=41 out=719
>
>     In both instances (successful login on old rev 14405) and login through
> thunderbird on the updated server, since all services (postfix, dovecot, etc.)
> are all running on the local machine, the login with method=PLAIN, works fine,
> but whatever/however rev 14501 is attempting the login -- it is failing.
>
>     Let me know how else I can help, what additional tests you need to see,
> etc... and I'll be happy to run them for you and submit the results.
>
>     Thanks.
>

Paul,

   This is now looking more like a problem squirrelmail is having with Postfix 
3. All the installs I have, up to and including Postfix 2.9 work. However this 
latest Archlinux box has Postfix 3.

   Specifically, the server on which I have 14405 has:

postfix 2.9.3-3

   The server with 14501 that is failing has:

postfix 3.0.1-1

   This can be seen with configtest.php results. All check succeed until the 
'Checkin IMAP server' test which fails at line 740 of configtest.php:

/** Can we open a connection? */
$stream = fsockopen( ($use_imap_tls==1?'tls://':'').$imapServerAddress, $imapPort,
         $errorNumber, $errorString);

Which I've compared with the test in rev 14405 and they are the same, so it 
isn't the test that is causing the failure, but rather something internal to 
squirrelmail handling Postfix 3.0/dovecot. Here is the full configtest output:

SquirrelMail configtest

This script will try to check some aspects of your SquirrelMail configuration 
and point you to errors whereever it can find them. You need to go run conf.pl 
in the config/ directory first before you run this script.

SquirrelMail version:	1.5.2 [SVN]
Config file version:	1.5.0
Config file last modified:	13 June 2015 23:31:25

Checking PHP configuration...
     PHP version 5.6.9 OK. (You have: 5.6.9. Minimum: 4.1.0)
     Running as N/A(N/A) / N/A(N/A)
     display_errors: (overridden with 1 for this page only)
     error_reporting: 22527 (overridden with 32767 for this page only)
     variables_order OK: GPCS.
     PHP extensions OK. Dynamic loading is disabled.

     WARNING: You have configured PHP not to allow short tags 
(short_open_tag=off). This shouldn't be a problem with SquirrelMail or any 
plugin coded coded according to the SquirrelMail Coding Guidelines, but if you 
experience problems with PHP code being displayed in some of the pages and 
changing setting to "on" solves the problem, please file a bug report against 
the failing plugin. The correct contact information is most likely to be found 
in the plugin documentation.
Checking paths...
     Data dir OK.
     Attachment dir OK.
Checking plugins...
     Plugin versions...
         squirrelspell 0.5
         calendar ??
     Plugins OK.
     Themes OK.
     Default language OK.
     Base URL detected as: http://www.*******.com:443/squirrelmail/src (location 
base autodetected)
Checking outgoing mail service....
     SMTP server OK (220 myhost.*******.com ESMTP Postfix)
Checking IMAP service....
Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: 
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify 
failed in /srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning: 
fsockopen(): Failed to enable crypto in 
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740 Warning: 
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in 
/srv/http/htdocs/squirrelmail/src/configtest.php on line 740

     FATAL ERROR: Error connecting to IMAP server "localhost:993".Server error: (0)

   I tarred and moved the working rev 14405 to the new server, (checked diff 
between the config.php files and they were the same for all practical purposes). 
Updated the config for the site and ran configtest.php. Exact same error (except 
the line number is 739 on ref 14405):

Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: 
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify 
failed in /srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 
Warning: fsockopen(): Failed to enable crypto in 
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739 Warning: 
fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in 
/srv/http/htdocs/squirrelmail_440/src/configtest.php on line 739

   What does this tell us? It tells us the problem is a change to either the 
imap server, TLS or PHP that squirrelmail isn't handling properly. That's the 
only thing that makes sense. If it were a change in squirrelmail, the moving 
14405 over to the new server would have produces a working install. Instead 
14405 experiences the same failure that 14501 does. That points directly to an 
update most likely in postfix (2x -> 3x) causing the issue.

   In summary the working install has

postfix 2.9.3-3
dovecot 2.1.8-2

   The failures are occurring with:

postfix 3.0.1-1
dovecot 2.2.18-1

   Between the two, the most significant API changes that are likely at issue 
are those in the move from postfix 2.9.3-3 ->  postfix 3.0.1-1.

   Let me know if I can send anything else.

-- 
David C. Rankin, J.D.,P.E.

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users



[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux