Re: Squirrelmail does not connect to SSL IMAP server after upgrading to PHP 5.6

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


-------- Message original --------
Sujet : Re:  Squirrelmail does not connect to SSL IMAP server 
after upgrading to PHP 5.6
De : Dmitry Katsubo <dma_k@xxxxxxx>
Pour : Squirrelmail User Support Mailing List 
Copie à : Julien Métairie <ruliane@xxxxxxxxxxx>
Date : 03/01/2016 22:05

> On 26/12/2015 22:52, Paul Lesniewski wrote:
>> On 12/14/15, Julien Métairie <ruliane@xxxxxxxxxxx> wrote:
>>> [...]
>>> The following is logged on the web server running Squirrelmail:
>>> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
>>> Error message:\nerror:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
>>> /usr/share/squirrelmail/src/configtest.php on line 431.
>>> And on the IMAP mail server:
>>> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>>> alert unknown ca
>>> As far as I understand, PHP 5.6 enforces certificate checking. SM allows
>>> tweaking this checks with $imap_stream_options, but I can't manage to
>>> use it. For testing purpose, I added the following to
>>> /etc/squirrelmail/config_local.php :
>>> $imap_stream_options = array(
>>> 	'ssl' => array(
>>> 		'verify_peer' => false,
>>> 	),
>>> );
>>> But there is no change with or without this option. I also tried to turn
>>> 'allow_self_signed' on, without success.
>> You might insert something like this:
>> sm_print_r('STREAM OPTIONS:', $stream_options);
>> Around line 763 of functions/imap_general.php
>> Make sure your settings are being used.
>> Otherwise, it sounds a little to me like your PHP installation isn't
>> functioning properly.  Check here for the available options:

Line 763 is in the middle of function sqimap_get_delimiter() (probably 
because we are running different versions of SM), I see no point 
checking stream options here.

I tracked stream options in sqimap_login(), just before fsockopen(), but 
$stream_options and $imap_stream_options were *not* defined.

Moreover, it appears that no context is passed to fsockopen() :

$imap_stream = @fsockopen($imap_server_address, $imap_port, 
$error_number, $error_string, 15);

As far as I understand, stream_socket_client() should be used instead of 
fsockopen() and a context should be passed as 6th argument. That's why I 
tried the following :

$imap_stream_options = array(
	'tls' => array(
		'verify_peer' => false,
	'ssl' => array(
		'verify_peer' => false,
$context = stream_context_create($imap_stream_options);
$imap_stream = @stream_socket_client($imap_server_address . ":" . 
$imap_port, $error_number, $error_string, 15, STREAM_CLIENT_CONNECT, 
$context) or die ("$php_errormsg");

Here is the result :

stream_socket_client(): unable to connect to tls:// 
(Unknown error)

No luck !

> I had the same problem and I have created a patch (090_ssl.dpatch) for
> squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus,
> then you don't need allow_self_signed=true.
> I also attach few other patches (which perhaps are already this way or
> another present in upstream):
> 080_global.php_session.dpatch: Fixes PHP warning about session usage.
> 081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is
> present in PHP
> 090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates.
> 091_abook_preg.dpatch: Fixes PHP warning concerning eregi()
> 099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done
> it right)

Thank you for this work. Unfortunately, these patchs are designed for SM 
1.5, whereas I run Squirrelmail 1.4 (which seems to be very different). 
I didn't manage to make any suitable patch for SM 1.4.
That said, you may want to push them to SourceForge repos. :)


squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux