Re: [SOLVED sort of] was Re: svn 14501 - TLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Forwarded message:
> From squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx  Tue Jun 16 15:23:03 2015
> X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
> 	douglas.highley-recommended.com
> X-Spam-Level: 
> X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,
> 	HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,RCVD_IN_MSPIKE_H3,
> 	RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,SPF_PASS,T_RP_MATCHES_RCVD,URI_NOVOWEL
> 	autolearn=ham autolearn_force=no version=3.4.1
> Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of gmail.com
> 	designates 209.85.223.178 as permitted sender)
> 	client-ip=209.85.223.178; envelope-from=pdontthink@xxxxxxxxx;
> 	helo=mail-ie0-f178.google.com; 
> MIME-Version: 1.0
> X-Received: by 10.107.47.26 with SMTP id j26mr3605774ioo.17.1434493235169;
> 	Tue, 16 Jun 2015 15:20:35 -0700 (PDT)
> In-Reply-To: <557E5A3D.1080303@xxxxxxxxxxxxxxxxxx>
> References: <557B731B.30609@xxxxxxxxxxxxxxxxxx>
> 	<557BBB6F.70006@xxxxxxxxxxxxxxxxxx>
> 	<557D1425.70500@xxxxxxxxxxxxxxxxxx>
> 	<CAHog114renp5Byor5+rv8QOVuYsHdTZ_enfHX7nvPfpo3kKOuQ@xxxxxxxxxxxxxx>
> 	<557E16D0.4030200@xxxxxxxxxxxxxxxxxx>
> 	<557E23B5.3010504@xxxxxxxxxxxxxxxxxx>
> 	<557E5A3D.1080303@xxxxxxxxxxxxxxxxxx>
> Date: Tue, 16 Jun 2015 15:20:35 -0700
> X-Google-Sender-Auth: hKjg5Rm-1yt9Ix3lpQ8VKu1rM88
> Message-ID: <CAHog116VhDcwi-DePQjCRyUmu7HU7MWEV1QBa0Lsjnd2XrdthA@xxxxxxxxxxxxxx>
> From: Paul Lesniewski <paul@xxxxxxxxxxxxxxxx>
> To: Squirrelmail User Support Mailing List
> 	<squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
> X-Headers-End: 1Z4zDk-0007IS-ER
> Subject: Re:  [SOLVED sort of] was Re: svn 14501 - TLS
>  handshaking: SSL_accept() failed: error: ... alert unknown ca: SSL alert
>  number 48
> X-BeenThere: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> X-Mailman-Version: 2.1.9
> Precedence: list
> Reply-To: paul@xxxxxxxxxxxxxxxx,
>         Squirrelmail User Support Mailing List
> 	<squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
> List-Id: Squirrelmail User Support Mailing List
> 	<squirrelmail-users.lists.sourceforge.net>
> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> 	<mailto:squirrelmail-users-request@xxxxxxxxxxxxxxxxxxxxx?subject=unsubscribe>
> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=squirrelmail-users>
> List-Post: <mailto:squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx>
> List-Help: <mailto:squirrelmail-users-request@xxxxxxxxxxxxxxxxxxxxx?subject=help>
> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/squirrelmail-users>,
> 	<mailto:squirrelmail-users-request@xxxxxxxxxxxxxxxxxxxxx?subject=subscribe>
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: squirrelmail-users-bounces@xxxxxxxxxxxxxxxxxxxxx
> 
> On 6/14/15, David C. Rankin <drankinatty@xxxxxxxxxxxxxxxxxx> wrote:
> > On 06/14/2015 08:00 PM, David C. Rankin wrote:
> >> On 06/14/2015 07:05 PM, David C. Rankin wrote:
> >>> Checking outgoing mail service....
> >>>        SMTP server OK (220 phoinix.rlfpllc.com ESMTP Postfix)
> >>>
> >>>      I think you have nailed the issue as a 'ca' problem which makes
> >>> sense with
> >>> the error: 'tlsv1 alert unknown ca: SSL alert number 48'. Let me know
> >>> when you
> >>> have a chance to look into this. I'm happy to do the digging.
> >>
> >> I think I have made progress. It looks like the problem is with the way
> >> squirrelmail handles the certificate check. I made several changes and
> >> how
> >> configtest.php gives the following error:
> >>
> >> Warning: fsockopen(): Peer certificate CN=`*.rlfpllc.com' did not match
> >> expected
> >> CN=`localhost' in /srv/http/htdocs/squirrelmail_501/src/configtest.php on
> >> line
> >> 740 Warning: fsockopen(): Failed to enable crypto in
> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740 Warning:
> >> fsockopen(): unable to connect to tls://localhost:993 (Unknown error) in
> >> /srv/http/htdocs/squirrelmail_501/src/configtest.php on line 740
> >>
> >> Seeing the CN mismatch, I set config_local.php with 'verify_peer' =>
> >> false:
> >>
> >> $imap_stream_options = array(
> >>       'ssl' => array(
> >>           'cafile' => '/etc/ca-certificates/extracted/tls-ca-bundle.pem',
> >>           'verify_peer' => false,
> >>           'verify_depth' => 3,
> >>       ),
> >> );
> >>
> >> However, that made no difference. (*Note:* with php 5.6+ the default for
> >> verify_peer is now 'true' -- I don't know if that prevents override in
> >> config_local.php) Let me know when you have some time and I'm glad to
> >> help.
> >>
> >
> >    For whatever reason, and for reasons I cannot explain, squirrelmail can
> > no
> > longer accept 'localhost' under 'Server Settings' (#2 in ./conf.pl) when
> 
> SquirrelMail accepts any hostname it is given.  It's not a matter of
> what SquirrelMail can and cannot accept.  It's purely a configuration
> mismatch with your PHP and Dovecot SSL settings and the certificates
> you are using (and their CA).  There is no SquirrelMail "fix" for
> this.  If verify_peer is enabled, then you need to have your ducks in
> a row in terms of the things you've been seeing: CA needs to be known,
> CN needs to match, etc.

First of all why is it only squirrelmail that is confused. In our case
there are two hosts involved in this not just the localhost so how is
squirrelmail going to verify beyond the normal ssl process? How would it
be able to see a CA file that is not on the host it is running on.

Another missed concept is the practice of using DNS CNAME aliases for a
host, like mail.domain.com, so that things are not hardcoded all over
the place and you can move functionality around without going to n
places to change hardcoding. In that case the host provide is not in the
ssl cert.

> 
> 
> -- 
> Paul Lesniewski
> SquirrelMail Team
> Please support Open Source Software by donating to SquirrelMail!
> http://squirrelmail.org/donate_paul_lesniewski.php
> 
> ------------------------------------------------------------------------------
> -----
> squirrelmail-users mailing list
> Posting guidelines: http://squirrelmail.org/postingguidelines
> List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
> List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
> List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
> 

------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users



[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux