On 6/14/15, David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: > On 06/14/2015 08:00 PM, David C. Rankin wrote: >> On 06/14/2015 07:05 PM, David C. Rankin wrote: >>> Checking outgoing mail service.... >>> SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix) >>> >>> I think you have nailed the issue as a 'ca' problem which makes >>> sense with >>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know >>> when you >>> have a chance to look into this. I'm happy to do the digging. >> >> I think I have made progress. It looks like the problem is with the way >> squirrelmail handles the certificate check. I made several changes and >> how >> configtest.php gives the following error: >> >> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match >> expected >> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on >> line >> 740 Warning: fsockopen(): Failed to enable crypto in >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning: >> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 >> >> Seeing the CN mismatch, I set config_local.php with 'verify_peer' => >> false: >> >> $imap_stream_options = array( >> 'ssl' => array( >> 'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem', >> 'verify_peer' => false, >> 'verify_depth' => 3, >> ), >> ); >> >> However, that made no difference. (*Note:* with php 5.6+ the default for >> verify_peer is now 'true' -- I don't know if that prevents override in >> config_local.php) Let me know when you have some time and I'm glad to >> help. >> > > For whatever reason, and for reasons I cannot explain, squirrelmail can > no > longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when SquirrelMail accepts any hostname it is given. It's not a matter of what SquirrelMail can and cannot accept. It's purely a configuration mismatch with your PHP and Dovecot SSL settings and the certificates you are using (and their CA). There is no SquirrelMail "fix" for this. If verify_peer is enabled, then you need to have your ducks in a row in terms of the things you've been seeing: CA needs to be known, CN needs to match, etc. -- Paul Lesniewski SquirrelMail Team Please support Open Source Software by donating to SquirrelMail! http://squirrelmail.org/donate_paul_lesniewski.php ------------------------------------------------------------------------------ ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
