Re: Squirrelmail does not connect to SSL IMAP server after upgrading to PHP 5.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 26/12/2015 22:52, Paul Lesniewski wrote:
> On 12/14/15, Julien Métairie <ruliane@xxxxxxxxxxx> wrote:
>> Hi list,
>>
>> I am trying to upgrade my server running Squirrelmail from Debian Wheezy
>> to Jessie.
>>
>> IMAP server is Courier-ssl using a self-signed certificate.
>>
>> Also note that Squirrelmail connects to 192.168.xx.xx, while the
>> certificate is (auto-)issued to mail.mydomain.com.
>>
>> After upgrading, configtest.php complains that it couldn't connect to
>> IMAP server because of a "Server error: (0)".
>>
>> The following is logged on the web server running Squirrelmail:
>>
>> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
>> Error message:\nerror:14090086:SSL
>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
>> /usr/share/squirrelmail/src/configtest.php on line 431.
>>
>> And on the IMAP mail server:
>>
>> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>> alert unknown ca
>>
>> As far as I understand, PHP 5.6 enforces certificate checking. SM allows
>> tweaking this checks with $imap_stream_options, but I can't manage to
>> use it. For testing purpose, I added the following to
>> /etc/squirrelmail/config_local.php :
>>
>> $imap_stream_options = array(
>>
>> 	'ssl' => array(
>>
>> 		'verify_peer' => false,
>>
>> 	),
>>
>> );
>>
>> But there is no change with or without this option. I also tried to turn
>> 'allow_self_signed' on, without success.
> 
> You might insert something like this:
> 
> sm_print_r('STREAM OPTIONS:', $stream_options);
> 
> Around line 763 of functions/imap_general.php
> 
> Make sure your settings are being used.
> 
> Otherwise, it sounds a little to me like your PHP installation isn't
> functioning properly.  Check here for the available options:
> 
> http://php.net/manual/en/context.ssl.php
> 
>> Squirrelmail 1.4.23, PHP version 5.6.14-0+deb8u1, Courier 4.15-1.6, all
>> software are installed from Debian repository.
>>
>> I went through this thread [1] but didn't understood any final solution.
>>
>> What did I miss ?
>>
>> Regards,
>>
>> Julien
>>
>> [1]
>> http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-td26087.html

I had the same problem and I have created a patch (090_ssl.dpatch) for
squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus,
then you don't need allow_self_signed=true.

I also attach few other patches (which perhaps are already this way or
another present in upstream):

080_global.php_session.dpatch: Fixes PHP warning about session usage.
081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is
present in PHP
090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates.
091_abook_preg.dpatch: Fixes PHP warning concerning eregi()
099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done
it right)

-- 
With best regards,
Dmitry
#! /bin/sh /usr/share/dpatch/dpatch-run
## 090_ssl.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix SSL for PHP 5.6.

@DPATCH@

--- squirrelmail-1.5.1.orig/functions/global.php	2014-11-07 23:55:07.875944398 +0100
+++ squirrelmail-1.5.1/functions/global.php	2014-11-07 23:58:30.807939070 +0100
@@ -300,6 +300,24 @@
 }
 
 /**
+ * sqenable_ssl
+ *
+ * Enable SSL encryption/decryption for the given stream.
+ *
+ * @return boolean true, if operation succeeded
+ * @since 1.5.1
+ */
+function sqenable_ssl($stream) {
+    stream_context_set_option($stream,'ssl','verify_peer',false);
+    stream_context_set_option($stream,'ssl','verify_peer_name',false);
+    stream_context_set_option($stream,'ssl','allow_self_signed',true);
+    if (isset($tls_ciphers)) {
+        stream_context_set_option($stream,'ssl','ciphers',$tls_ciphers);
+    }
+    return stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT);
+}
+
+/**
  * php_self
  *
  * Creates an URL for the page calling this function, using either the PHP global
--- squirrelmail-1.5.1.orig/functions/imap_general.php	2006-02-11 16:20:06.000000000 +0100
+++ squirrelmail-1.5.1/functions/imap_general.php	2014-11-08 00:03:02.947931924 +0100
@@ -697,7 +697,7 @@
             }
 
             // start crypto on connection. suppress function errors.
-            if (@stream_socket_enable_crypto($imap_stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+            if (sqenable_ssl($imap_stream)) {
                 // starttls was successful
 
                 /**
--- squirrelmail-1.5.1.orig/src/configtest.php	2006-02-05 10:20:36.000000000 +0100
+++ squirrelmail-1.5.1/src/configtest.php	2014-11-07 23:49:08.871953824 +0100
@@ -75,11 +75,11 @@
            'Check permissions on that file.');
 }
 
+sqGetGlobalVar('REMOTE_ADDR',$client_ip,SQ_SERVER);
+sqGetGlobalVar('SERVER_ADDR',$server_ip,SQ_SERVER);
+
 /* Block remote use of script */
 if (! $allow_remote_configtest) {
-    sqGetGlobalVar('REMOTE_ADDR',$client_ip,SQ_SERVER);
-    sqGetGlobalVar('SERVER_ADDR',$server_ip,SQ_SERVER);
-
     if ((! isset($client_ip) || $client_ip!='127.0.0.1') &&
         (! isset($client_ip) || ! isset($server_ip) || $client_ip!=$server_ip)) {
         do_err('Enable "Allow remote configtest" option in squirrelmail configuration in order to use this script.');
@@ -326,7 +326,7 @@
             $starttls_cmd_err = 'SMTP STARTTLS failed. Server replied: '
                 .htmlspecialchars($starttls_response);
             do_err($starttls_cmd_err);
-        } elseif(! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+        } elseif(! sqenable_ssl($stream)) {
             do_err('Failed to enable encryption on SMTP STARTTLS connection.');
         } else {
             echo $IND . "SMTP STARTTLS extension looks OK.<br />\n";
@@ -404,7 +404,7 @@
         $imap_starttls_err = 'IMAP STARTTLS failed. Server replied: '
                 .htmlspecialchars($starttls_line);
         do_err($imap_starttls_err);
-    } elseif (! stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+    } elseif (! sqenable_ssl($stream)) {
         do_err('Failed to enable encryption on IMAP connection.');
     } else {
         echo $IND . "IMAP STARTTLS extension looks OK.<br />\n";
--- squirrelmail-1.5.1.orig/class/deliver/Deliver_SMTP.class.php	2006-01-28 20:24:07.000000000 +0100
+++ squirrelmail-1.5.1/class/deliver/Deliver_SMTP.class.php	2014-11-07 23:52:08.567949106 +0100
@@ -173,7 +173,7 @@
                 }
 
                 // start crypto on connection. suppress function errors.
-                if (@stream_socket_enable_crypto($stream,true,STREAM_CRYPTO_METHOD_TLS_CLIENT)) {
+                if (sqenable_ssl($stream)) {
                     // starttls was successful (rfc2487 5.2 Result of the STARTTLS Command)
                     // get new EHLO response
                     fputs($stream, "EHLO $helohost\r\n");
#! /bin/sh /usr/share/dpatch/dpatch-run
## 091_abook_preg_fix.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Replace deprecated eregi() with preg_match().

@DPATCH@

--- squirrelmail-1.5.1.orig/plugins/abook_take/functions.php	2006-02-05 12:18:50.000000000 +0100
+++ squirrelmail-1.5.1/plugins/abook_take/functions.php	2014-11-22 23:00:51.868237457 +0100
@@ -20,7 +20,7 @@
 {
     global $Email_RegExp_Match;
 
-    if (! eregi('^' . $Email_RegExp_Match . '$', $email))
+    if (! preg_match('/^' . $Email_RegExp_Match . '$/i', $email))
         return false;
 
     if (! $verify)
@@ -33,7 +33,7 @@
 {
     global $abook_found_email, $Email_RegExp_Match;
 
-    while (eregi('(' . $Email_RegExp_Match . ')', $str, $hits))
+    while (preg_match('/(' . $Email_RegExp_Match . ')/i', $str, $hits))
     {
         $str = substr(strstr($str, $hits[0]), strlen($hits[0]));
         if (! isset($abook_found_email[$hits[0]]))
#! /bin/sh /usr/share/dpatch/dpatch-run
## 099_warnings.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fixes PHP warnings.

@DPATCH@

--- squirrelmail-1.5.1.orig/functions/imap_general.php	2006-02-11 16:20:06.000000000 +0100
+++ squirrelmail-1.5.1./functions/imap_general.php	2014-11-08 00:03:02.947931924 +0100
@@ -947,7 +947,7 @@
         for ($i=2; $i < count($c); $i++) {
             $cap_list = explode('=', $c[$i]);
             if (isset($cap_list[1])) {
-                $sqimap_capabilities[trim($cap_list[0])][] = $cap_list[1];
+                $sqimap_capabilities[trim($cap_list[0])] = array($cap_list[1]);
             } else {
                 $sqimap_capabilities[trim($cap_list[0])] = TRUE;
             }
--- squirrelmail-1.5.1.orig/functions/imap_messages.php	2006-02-12 19:21:50.000000000 +0100
+++ squirrelmail-1.5.1/functions/imap_messages.php	2014-11-08 00:23:03.099900413 +0100
@@ -923,7 +923,7 @@
     if ($read) {
         if (preg_match('/.+FLAGS\s\((.*)\)\s/AUi',$read[0],$regs)) {
             if (trim($regs[1])) {
-                $flags = preg_split('/ /', $regs[1],-1,'PREG_SPLIT_NI_EMPTY');
+                $flags = preg_split('/ /', $regs[1],-1,PREG_SPLIT_NO_EMPTY);
             }
         }
     } else {
--- squirrelmail-1.5.1.orig/class/mime/Rfc822Header.class.php	2006-01-23 19:39:32.000000000 +0100
+++ squirrelmail-1.5.1/class/mime/Rfc822Header.class.php	2014-11-08 01:09:58.479826493 +0100
@@ -486,7 +486,7 @@
             $sComment = trim(implode(' ',$aComment));
             $sPersonal .= $sComment;
         }
-        $oAddr =& new AddressStructure();
+        $oAddr = new AddressStructure();
         if ($sPersonal && substr($sPersonal,0,2) == '=?') {
             $oAddr->personal = encodeHeader($sPersonal);
         } else {
--- squirrelmail-1.5.1.orig/class/error.class.php	2014-11-08 01:48:01.811766542 +0100
+++ squirrelmail-1.5.1/class/error.class.php	2014-11-08 02:03:47.779741705 +0100
@@ -119,6 +119,7 @@
                 $iType = (is_null($iType)) ? SQM_STRICT : $iType;
             case E_NOTICE:
                 $iType = (is_null($iType)) ? SQM_NOTICE : $iType;
+            case E_DEPRECATED:
             case E_WARNING:
                 $iType = (is_null($iType)) ? SQM_WARNING : $iType;
                 $aErrorCategory[] = 'PHP';
--- squirrelmail-1.5.1.orig/class/mime/Message.class.php	2006-01-23 19:39:32.000000000 +0100
+++ squirrelmail-1.5.1/class/mime/Message.class.php	2014-11-08 02:20:29.355715408 +0100
@@ -287,7 +287,7 @@
      * @return object Message object
      * @todo define argument and return types
      */
-    function parseStructure($read, &$i, $sub_msg = '') {
+    static function parseStructure($read, &$i, $sub_msg = '') {
         $msg = Message::parseBodyStructure($read, $i, $sub_msg);
         if($msg) $msg->setEntIds($msg,false,0);
         return $msg;
@@ -337,7 +337,7 @@
      * @todo document me
      * @since 1.4.0 (code was part of parseStructure() in 1.3.x)
      */
-    function parseBodyStructure($read, &$i, $sub_msg = '') {
+    static function parseBodyStructure($read, &$i, $sub_msg = '') {
         $arg_no = 0;
         $arg_a  = array();
         if ($sub_msg) {
@@ -359,8 +359,9 @@
                                 $hdr->type1 = 'plain';
                                 $hdr->encoding = 'us-ascii';
                             } else {
-                                $msg->header->type0 = 'multipart';
+                                $hdr->type0 = 'multipart';
                                 $msg->type0 = 'multipart';
+                                $msg->header = $hdr;
                                 while ($read{$i} == '(') {
                                     $msg->addEntity($msg->parseBodyStructure($read, $i, $msg));
                                 }
@@ -388,10 +389,11 @@
                             }
                         case 7:
                             if (($arg_a[0] == 'message') && ($arg_a[1] == 'rfc822')) {
-                                $msg->header->type0 = $arg_a[0];
-                                $msg->header->type1 = $arg_a[1];
+                                $hdr->type0 = $arg_a[0];
+                                $hdr->type1 = $arg_a[1];
                                 $msg->type0 = $arg_a[0];
                                 $msg->type1 = $arg_a[1];
+                                $msg->header = $hdr;
                                 $rfc822_hdr = new Rfc822Header();
                                 $msg->rfc822_header = $msg->parseEnvelope($read, $i, $rfc822_hdr);
                                 while (($i < $cnt) && ($read{$i} != '(')) {
#! /bin/sh /usr/share/dpatch/dpatch-run
## 080_global.php_session.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Fix PHP session start/end.

@DPATCH@

--- squirrelmail-1.5.1.orig/functions/global.php	2014-11-08 00:50:11.655857654 +0100
+++ squirrelmail-1.5.1.orig/functions/global.php	2014-11-08 00:50:29.011857198 +0100
@@ -92,9 +92,11 @@
 
     sqsession_is_active();
 
-    $_SESSION["$name"] = $var;
+    if(!isset($_SESSION)) {
+        session_start();
+    }
 
-    session_register("$name");
+    $_SESSION["$name"] = $var;
 }
 
 /**
@@ -107,8 +109,6 @@
     sqsession_is_active();
 
     unset($_SESSION[$name]);
-
-    session_unregister("$name");
 }
 
 /**
#! /bin/sh /usr/share/dpatch/dpatch-run
## 081_mail_fetch.functions.php_hex2bin.dpatch by Dmitry Katsubo <dma_k@xxxxxxx>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Remove conflicting hex2bin() function.

@DPATCH@

--- squirrelmail-1.5.1.orig/plugins/mail_fetch/functions.php	2006-07-08 21:09:31.000000000 +0200
+++ squirrelmail-1.5.1/plugins/mail_fetch/functions.php	2012-12-19 22:32:26.273782351 +0100
@@ -293,21 +293,6 @@
 }
 // end of hooked functions
 
-/**
- * hex2bin - document me
- */
-function hex2bin( $data ) {
-
-    /* Original code by josh@xxxxxxxxxxxxx */
-
-    $len = strlen($data);
-    $newdata = '';
-    for( $i=0; $i < $len; $i += 2 ) {
-        $newdata .= pack( "C", hexdec( substr( $data, $i, 2) ) );
-    }
-    return $newdata;
-}
-
 function mf_keyED( $txt ) {
 
     global $MF_TIT;
------------------------------------------------------------------------------
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux