On 26/12/2015 22:52, Paul Lesniewski wrote:
> On 12/14/15, Julien Métairie <ruliane@xxxxxxxxxxx> wrote:
>> Hi list,
>>
>> I am trying to upgrade my server running Squirrelmail from Debian Wheezy
>> to Jessie.
>>
>> IMAP server is Courier-ssl using a self-signed certificate.
>>
>> Also note that Squirrelmail connects to 192.168.xx.xx, while the
>> certificate is (auto-)issued to mail.mydomain.com.
>>
>> After upgrading, configtest.php complains that it couldn't connect to
>> IMAP server because of a "Server error: (0)".
>>
>> The following is logged on the web server running Squirrelmail:
>>
>> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
>> Error message:\nerror:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
>> /usr/share/squirrelmail/src/configtest.php on line 431.
>>
>> And on the IMAP mail server:
>>
>> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca
>>
>> As far as I understand, PHP 5.6 enforces certificate checking. SM allows
>> tweaking this checks with $imap_stream_options, but I can't manage to
>> use it. For testing purpose, I added the following to
>> /etc/squirrelmail/config_local.php :
>>
>> $imap_stream_options = array(
>>
>> 'ssl' => array(
>>
>> 'verify_peer' => false,
>>
>> ),
>>
>> );
>>
>> But there is no change with or without this option. I also tried to turn
>> 'allow_self_signed' on, without success.
>
> You might insert something like this:
>
> sm_print_r('STREAM OPTIONS:', $stream_options);
>
> Around line 763 of functions/imap_general.php
>
> Make sure your settings are being used.
>
> Otherwise, it sounds a little to me like your PHP installation isn't
> functioning properly. Check here for the available options:
>
> http://php.net/manual/en/context.ssl.php
>
>> Squirrelmail 1.4.23, PHP version 5.6.14-0+deb8u1, Courier 4.15-1.6, all
>> software are installed from Debian repository.
>>
>> I went through this thread [1] but didn't understood any final solution.
>>
>> What did I miss ?
>>
>> Regards,
>>
>> Julien
>>
>> [1]
>> http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-td26087.html
I had the same problem and I have created a patch (090_ssl.dpatch) for
squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus,
then you don't need allow_self_signed=true.
I also attach few other patches (which perhaps are already this way or
another present in upstream):
080_global.php_session.dpatch: Fixes PHP warning about session usage.
081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is
present in PHP
090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates.
091_abook_preg.dpatch: Fixes PHP warning concerning eregi()
099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done
it right)
--
With best regards,
Dmitry
#! /bin/sh /usr/share/dpatch/dpatch-run
## 090_ssl.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix SSL for PHP 5.6.
@DPATCH@
--- squirrelmail-1.5.1.orig/functions/global.php 2014-11-07 23:55:07.875944398 +0100
+++ squirrelmail-1.5.1/functions/global.php 2014-11-07 23:58:30.807939070 +0100
@@ -300,6 +300,24 @@
}
/**
+ * sqenable_ssl
+ *
+ * Enable SSL encryption/decryption for the given stream.
+ *
+ * @return boolean true, if operation succeeded
+ * @since 1.5.1
+ */
+function sqenable_ssl($stream) {
+ stream_context_set_option($stream,'ssl','verify_peer',false);
+ stream_context_set_option($stream,'ssl','verify_peer_name',false);
+ stream_context_set_option($stream,'ssl','allow_self_signed',true);
+ if (isset($tls_ciphers)) {
+ stream_context_set_option($stream,'ssl','ciphers',$tls_ciphers);
+ }
+ return stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT);
+}
+
+/**
* php_self
*
* Creates an URL for the page calling this function, using either the PHP global
--- squirrelmail-1.5.1.orig/functions/imap_general.php 2006-02-11 16:20:06.000000000 +0100
+++ squirrelmail-1.5.1/functions/imap_general.php 2014-11-08 00:03:02.947931924 +0100
@@ -697,7 +697,7 @@
}
// start crypto on connection. suppress function errors.
- if (@stream_socket_enable_crypto($imap_stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+ if (sqenable_ssl($imap_stream)) {
// starttls was successful
/**
--- squirrelmail-1.5.1.orig/src/configtest.php 2006-02-05 10:20:36.000000000 +0100
+++ squirrelmail-1.5.1/src/configtest.php 2014-11-07 23:49:08.871953824 +0100
@@ -75,11 +75,11 @@
'Check permissions on that file.');
}
+sqGetGlobalVar('REMOTE_ADDR',$client_ip,SQ_SERVER);
+sqGetGlobalVar('SERVER_ADDR',$server_ip,SQ_SERVER);
+
/* Block remote use of script */
if (! $allow_remote_configtest) {
- sqGetGlobalVar('REMOTE_ADDR',$client_ip,SQ_SERVER);
- sqGetGlobalVar('SERVER_ADDR',$server_ip,SQ_SERVER);
-
if ((! isset($client_ip) || $client_ip!='127.0.0.1') &&
(! isset($client_ip) || ! isset($server_ip) || $client_ip!=$server_ip)) {
do_err('Enable "Allow remote configtest" option in squirrelmail configuration in order to use this script.');
@@ -326,7 +326,7 @@
$starttls_cmd_err = 'SMTP STARTTLS failed. Server replied: '
.htmlspecialchars($starttls_response);
do_err($starttls_cmd_err);
- } elseif(! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+ } elseif(! sqenable_ssl($stream)) {
do_err('Failed to enable encryption on SMTP STARTTLS connection.');
} else {
echo $IND . "SMTP STARTTLS extension looks OK.<br />\n";
@@ -404,7 +404,7 @@
$imap_starttls_err = 'IMAP STARTTLS failed. Server replied: '
.htmlspecialchars($starttls_line);
do_err($imap_starttls_err);
- } elseif (! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+ } elseif (! sqenable_ssl($stream)) {
do_err('Failed to enable encryption on IMAP connection.');
} else {
echo $IND . "IMAP STARTTLS extension looks OK.<br />\n";
--- squirrelmail-1.5.1.orig/class/deliver/Deliver_SMTP.class.php 2006-01-28 20:24:07.000000000 +0100
+++ squirrelmail-1.5.1/class/deliver/Deliver_SMTP.class.php 2014-11-07 23:52:08.567949106 +0100
@@ -173,7 +173,7 @@
}
// start crypto on connection. suppress function errors.
- if (@stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+ if (sqenable_ssl($stream)) {
// starttls was successful (rfc2487 5.2 Result of the STARTTLS Command)
// get new EHLO response
fputs($stream, "EHLO $helohost\r\n");
#! /bin/sh /usr/share/dpatch/dpatch-run
## 091_abook_preg_fix.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Replace deprecated eregi() with preg_match().
@DPATCH@
--- squirrelmail-1.5.1.orig/plugins/abook_take/functions.php 2006-02-05 12:18:50.000000000 +0100
+++ squirrelmail-1.5.1/plugins/abook_take/functions.php 2014-11-22 23:00:51.868237457 +0100
@@ -20,7 +20,7 @@
{
global $Email_RegExp_Match;
- if (! eregi('^' . $Email_RegExp_Match . '$', $email))
+ if (! preg_match('/^' . $Email_RegExp_Match . '$/i', $email))
return false;
if (! $verify)
@@ -33,7 +33,7 @@
{
global $abook_found_email, $Email_RegExp_Match;
- while (eregi('(' . $Email_RegExp_Match . ')', $str, $hits))
+ while (preg_match('/(' . $Email_RegExp_Match . ')/i', $str, $hits))
{
$str = substr(strstr($str, $hits[0]), strlen($hits[0]));
if (! isset($abook_found_email[$hits[0]]))
#! /bin/sh /usr/share/dpatch/dpatch-run
## 099_warnings.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes PHP warnings.
@DPATCH@
--- squirrelmail-1.5.1.orig/functions/imap_general.php 2006-02-11 16:20:06.000000000 +0100
+++ squirrelmail-1.5.1./functions/imap_general.php 2014-11-08 00:03:02.947931924 +0100
@@ -947,7 +947,7 @@
for ($i=2; $i < count($c); $i++) {
$cap_list = explode('=', $c[$i]);
if (isset($cap_list[1])) {
- $sqimap_capabilities[trim($cap_list[0])][] = $cap_list[1];
+ $sqimap_capabilities[trim($cap_list[0])] = array($cap_list[1]);
} else {
$sqimap_capabilities[trim($cap_list[0])] = TRUE;
}
--- squirrelmail-1.5.1.orig/functions/imap_messages.php 2006-02-12 19:21:50.000000000 +0100
+++ squirrelmail-1.5.1/functions/imap_messages.php 2014-11-08 00:23:03.099900413 +0100
@@ -923,7 +923,7 @@
if ($read) {
if (preg_match('/.+FLAGS\s\((.*)\)\s/AUi',$read[0],$regs)) {
if (trim($regs[1])) {
- $flags = preg_split('/ /', $regs[1],-1,'PREG_SPLIT_NI_EMPTY');
+ $flags = preg_split('/ /', $regs[1],-1,PREG_SPLIT_NO_EMPTY);
}
}
} else {
--- squirrelmail-1.5.1.orig/class/mime/Rfc822Header.class.php 2006-01-23 19:39:32.000000000 +0100
+++ squirrelmail-1.5.1/class/mime/Rfc822Header.class.php 2014-11-08 01:09:58.479826493 +0100
@@ -486,7 +486,7 @@
$sComment = trim(implode(' ',$aComment));
$sPersonal .= $sComment;
}
- $oAddr =& new AddressStructure();
+ $oAddr = new AddressStructure();
if ($sPersonal && substr($sPersonal,0,2) == '=?') {
$oAddr->personal = encodeHeader($sPersonal);
} else {
--- squirrelmail-1.5.1.orig/class/error.class.php 2014-11-08 01:48:01.811766542 +0100
+++ squirrelmail-1.5.1/class/error.class.php 2014-11-08 02:03:47.779741705 +0100
@@ -119,6 +119,7 @@
$iType = (is_null($iType)) ? SQM_STRICT : $iType;
case E_NOTICE:
$iType = (is_null($iType)) ? SQM_NOTICE : $iType;
+ case E_DEPRECATED:
case E_WARNING:
$iType = (is_null($iType)) ? SQM_WARNING : $iType;
$aErrorCategory[] = 'PHP';
--- squirrelmail-1.5.1.orig/class/mime/Message.class.php 2006-01-23 19:39:32.000000000 +0100
+++ squirrelmail-1.5.1/class/mime/Message.class.php 2014-11-08 02:20:29.355715408 +0100
@@ -287,7 +287,7 @@
* @return object Message object
* @todo define argument and return types
*/
- function parseStructure($read, &$i, $sub_msg = '') {
+ static function parseStructure($read, &$i, $sub_msg = '') {
$msg = Message::parseBodyStructure($read, $i, $sub_msg);
if($msg) $msg->setEntIds($msg,false,0);
return $msg;
@@ -337,7 +337,7 @@
* @todo document me
* @since 1.4.0 (code was part of parseStructure() in 1.3.x)
*/
- function parseBodyStructure($read, &$i, $sub_msg = '') {
+ static function parseBodyStructure($read, &$i, $sub_msg = '') {
$arg_no = 0;
$arg_a = array();
if ($sub_msg) {
@@ -359,8 +359,9 @@
$hdr->type1 = 'plain';
$hdr->encoding = 'us-ascii';
} else {
- $msg->header->type0 = 'multipart';
+ $hdr->type0 = 'multipart';
$msg->type0 = 'multipart';
+ $msg->header = $hdr;
while ($read{$i} == '(') {
$msg->addEntity($msg->parseBodyStructure($read, $i, $msg));
}
@@ -388,10 +389,11 @@
}
case 7:
if (($arg_a[0] == 'message') && ($arg_a[1] == 'rfc822')) {
- $msg->header->type0 = $arg_a[0];
- $msg->header->type1 = $arg_a[1];
+ $hdr->type0 = $arg_a[0];
+ $hdr->type1 = $arg_a[1];
$msg->type0 = $arg_a[0];
$msg->type1 = $arg_a[1];
+ $msg->header = $hdr;
$rfc822_hdr = new Rfc822Header();
$msg->rfc822_header = $msg->parseEnvelope($read, $i, $rfc822_hdr);
while (($i < $cnt) && ($read{$i} != '(')) {
#! /bin/sh /usr/share/dpatch/dpatch-run
## 080_global.php_session.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix PHP session start/end.
@DPATCH@
--- squirrelmail-1.5.1.orig/functions/global.php 2014-11-08 00:50:11.655857654 +0100
+++ squirrelmail-1.5.1.orig/functions/global.php 2014-11-08 00:50:29.011857198 +0100
@@ -92,9 +92,11 @@
sqsession_is_active();
- $_SESSION["$name"] = $var;
+ if(!isset($_SESSION)) {
+ session_start();
+ }
- session_register("$name");
+ $_SESSION["$name"] = $var;
}
/**
@@ -107,8 +109,6 @@
sqsession_is_active();
unset($_SESSION[$name]);
-
- session_unregister("$name");
}
/**
#! /bin/sh /usr/share/dpatch/dpatch-run
## 081_mail_fetch.functions.php_hex2bin.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Remove conflicting hex2bin() function.
@DPATCH@
--- squirrelmail-1.5.1.orig/plugins/mail_fetch/functions.php 2006-07-08 21:09:31.000000000 +0200
+++ squirrelmail-1.5.1/plugins/mail_fetch/functions.php 2012-12-19 22:32:26.273782351 +0100
@@ -293,21 +293,6 @@
}
// end of hooked functions
-/**
- * hex2bin - document me
- */
-function hex2bin( $data ) {
-
- /* Original code by josh@xxxxxxxxxxxxx */
-
- $len = strlen($data);
- $newdata = '';
- for( $i=0; $i < $len; $i += 2 ) {
- $newdata .= pack( "C", hexdec( substr( $data, $i, 2) ) );
- }
- return $newdata;
-}
-
function mf_keyED( $txt ) {
global $MF_TIT;
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
