On 1/3/16, Dmitry Katsubo <dma_k@xxxxxxx> wrote:
> On 26/12/2015 22:52, Paul Lesniewski wrote:
>> On 12/14/15, Julien Métairie <ruliane@xxxxxxxxxxx> wrote:
>>> Hi list,
>>>
>>> I am trying to upgrade my server running Squirrelmail from Debian Wheezy
>>> to Jessie.
>>>
>>> IMAP server is Courier-ssl using a self-signed certificate.
>>>
>>> Also note that Squirrelmail connects to 192.168.xx.xx, while the
>>> certificate is (auto-)issued to mail.mydomain.com.
>>>
>>> After upgrading, configtest.php complains that it couldn't connect to
>>> IMAP server because of a "Server error: (0)".
>>>
>>> The following is logged on the web server running Squirrelmail:
>>>
>>> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
>>> Error message:\nerror:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
>>> /usr/share/squirrelmail/src/configtest.php on line 431.
>>>
>>> And on the IMAP mail server:
>>>
>>> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>>> alert unknown ca
>>>
>>> As far as I understand, PHP 5.6 enforces certificate checking. SM allows
>>> tweaking this checks with $imap_stream_options, but I can't manage to
>>> use it. For testing purpose, I added the following to
>>> /etc/squirrelmail/config_local.php :
>>>
>>> $imap_stream_options = array(
>>>
>>> 'ssl' => array(
>>>
>>> 'verify_peer' => false,
>>>
>>> ),
>>>
>>> );
>>>
>>> But there is no change with or without this option. I also tried to turn
>>> 'allow_self_signed' on, without success.
>>
>> You might insert something like this:
>>
>> sm_print_r('STREAM OPTIONS:', $stream_options);
>>
>> Around line 763 of functions/imap_general.php
>>
>> Make sure your settings are being used.
>>
>> Otherwise, it sounds a little to me like your PHP installation isn't
>> functioning properly. Check here for the available options:
>>
>> http://php.net/manual/en/context.ssl.php
>>
>>> Squirrelmail 1.4.23, PHP version 5.6.14-0+deb8u1, Courier 4.15-1.6, all
>>> software are installed from Debian repository.
>>>
>>> I went through this thread [1] but didn't understood any final solution.
>>>
>>> What did I miss ?
>>>
>>> Regards,
>>>
>>> Julien
>>>
>>> [1]
>>> http://squirrelmail.5843.n7.nabble.com/svn-14501-TLS-handshaking-SSL-accept-failed-error-alert-unknown-ca-SSL-alert-number-48-td26087.html
>
> I had the same problem and I have created a patch (090_ssl.dpatch) for
> squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus,
> then you don't need allow_self_signed=true.
>
> I also attach few other patches (which perhaps are already this way or
> another present in upstream):
Dmitry, thanks for submitting your patches, but version 1.5.1 is very
outdated and all these issues are fixed in 1.5.2, which I strongly
recommend if you want to run the development stream.
> 080_global.php_session.dpatch: Fixes PHP warning about session usage.
> 081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is
> present in PHP
> 090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates.
> 091_abook_preg.dpatch: Fixes PHP warning concerning eregi()
> 099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done
> it right)
--
Paul Lesniewski
SquirrelMail Team
Please support Open Source Software by donating to SquirrelMail!
http://squirrelmail.org/donate_paul_lesniewski.php
------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
