Re: Problem with STARTTLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sat, April 28, 2018 14:45, Paul Lesniewski wrote:

> Off the top of my head, I'd suggest trying to write a small POC
> script to see if you can make the connection without any other
> code in the way. But it does seem clear that the IMAP server does
> not in fact have the CA's certificate, despite you having said
> you copied it over.  OTOH, the SquirrelMail instance might be
> sending a different certificate than you expected.  Maybe you can
> check to see if you can get Cyrus to dump out what certificates
> are actually being exchanged.

I am having a similar problem with SMTP now and am no longer seeing
the IMAP error reported in configtest.php.  That does not mean the
problem is solved just that presently it is no longer shown.

This is what I have traced things to wrt SM on the new host:

[Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client] PHP Warning:  fsockopen(): SSL operation failed
with code 1. OpenSSL Error messages:\nerror:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed in
/usr/local/www/squirrelmail/src/configtest.php on line 406

[Mon Apr 30 09:10:22.510311 2018] [:error] [pid 75098] [client] PHP Warning:  fsockopen(): Failed to enable
crypto in /usr/local/www/squirrelmail/src/configtest.php on line 406

[Mon Apr 30 09:10:22.511594 2018] [:error] [pid 75098] [client] PHP Warning:  fsockopen(): unable to connect to
ssl:// (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406

Using openssl s_client and specifying the exact certificates and keys
as are provided in the SM virtual server definition I get this:

# export PKIDIR='/usr/local/etc/pki/tls'
# openssl s_client \
  -connect \
  -CAfile $PKIDIR/certs/ca-bundle.crt \
  -cert $PKIDIR/certs/ca.harte-lyne.hamilton.squirrelmail.crt \
  -key $PKIDIR/private/ca.harte-lyne.hamilton.squirrelmail.key

depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited,
OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L =
verify error:num=19:self signed certificate in certificate chain
Certificate chain
 0 s:/ Data
Services/O=Harte & Lyne
   i:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
 1 s:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
   i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
 2 s:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
   i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Server certificate
. . .
subject=/ Data
Services/O=Harte & Lyne
issuer=/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte &
Lyne Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
Acceptable client certificate CA names
. . .
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign,
Inc. - For authorized use only/CN=VeriSign Universal Root
Certification Authority

/C=US/O=VISA/OU=Visa International Service Association/CN=Visa
eCommerce Root

/C=US/ Security Services Inc/CN=XRamp
Global Certification Authority

/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne

/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked
Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton

/CN=CA HLL ISSUER 01/OU=Networked Data Services/O=Harte & Lyne

/CN=CA HLL ROOT/OU=Networked Data Services/O=Harte & Lyne

Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
Shared Requested Signature Algorithms:
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 28952 bytes and written 3647 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f8 9d 58 d4 76 a9 d3 b2-f4 e6 82 31 de 23 d7 11 . . .
    Start Time: 1525101722
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
220 ESMTP Postfix

As demonstrated above, I can connect to SMTP using the same
certificates and keys as configured for Squirrelmail, as shown below:

. . .
SSLCertificateFile \

SSLCertificateKeyFile \

SSLCACertificateFile \
. . .
# SSLVerifyClient options: 'none' - 'optional_no_ca' - 'optional' -
SSLVerifyClient optional
SSLVerifyDepth  10

The socket error report shows up on searches as being related to a php
configuration issue for Windows.  But I see no obvious problem with
the PHP install on the SM host and no provision for explicitly
configuring openssl in php.ini.

***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

Check out the vibrant tech community on one of the world's most
engaging tech sites,!
squirrelmail-users mailing list
Posting guidelines:
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives:
List info (subscribe/unsubscribe/change options):

[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux