On 06/14/2015 11:53 PM, David C. Rankin wrote:
> Paul, after you look into this, if this was the sole cause, you may want to
> drop a Install/Upgrade note regarding php 5.6 and the change required in server
> settings.
>
> (even better, it may be worth adding a check in the squirrelmail code that if
> server setting is listed as 'localhost', make a php call to obtain the server
> hostname/domain to compare against the Peer reported name before a CN mismatch
> is declared -- or something similar -- may fix it)
If you do look at this, it looks like a possible fix for php 5.6+ needs to be
prior to line 725 in functions/imap_general.php:
in function sqimap_create_stream:
$imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);
The problem in my case appears to be that if 'localhost' is specified as the
imap server in config.php (as it has been for the past 5-10 years), passing
'localhost' as $server to fsockopen now causes the IMAP stream open failure
(presumably due to the new default of verify_peer=true). I seems like a
functional check of something like the following could help:
if $server equals 'localhost' {
$servername equals hostname.dnsdomainname (or however you get this in php)
$imap_stream = @fsockopen($servername, $port, $error_number, $error_string, 15);
} else {
$imap_stream = @fsockopen($server, $port, $error_number, $error_string, 15);
}
It is trickier if the CN wasn't generated with the suggested '*.domain.tld'
format, but rather 'host.domain.tld'. In that case there would no way of knowing
if the 'host' part of 'host.domain.tld' returned by the 'hostname' equivalent
would match the name used as the CN in certificate generation.
However, just adding the 'localhost' check and 'host.domain.tld' substitution
would work for every case where CN is specified in the recommended
'*.domain.tld' format. (I haven't looked at the code to see why smtp is not
effected, but it is fine)
Another option (less desirable, but effective) would be to add a check to
config/conf.pl to check if ssl/tls, or port 993, etc... had been specified along
with 'localhost' as the hostname. In that case conf.pl could warn that the IMAP
hostname must match the mail certificate CN for authentication to succeed with
php 5.6+.
Keep fighting the good fight!
--
David C. Rankin, J.D.,P.E.
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
