Re: Problem with STARTTLS

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, April 28, 2018 14:45, Paul Lesniewski wrote:

>
> Off the top of my head, I'd suggest trying to write a small POC
> script to see if you can make the connection without any other
> code in the way. But it does seem clear that the IMAP server does
> not in fact have the CA's certificate, despite you having said
> you copied it over.  OTOH, the SquirrelMail instance might be
> sending a different certificate than you expected.  Maybe you can
> check to see if you can get Cyrus to dump out what certificates
> are actually being exchanged.
>

I am having a similar problem with SMTP now and am no longer seeing
the IMAP error reported in configtest.php.  That does not mean the
problem is solved just that presently it is no longer shown.

This is what I have traced things to wrt SM on the new host:

[Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning:  fsockopen(): SSL operation failed
with code 1. OpenSSL Error messages:\nerror:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed in
/usr/local/www/squirrelmail/src/configtest.php on line 406

[Mon Apr 30 09:10:22.510311 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning:  fsockopen(): Failed to enable
crypto in /usr/local/www/squirrelmail/src/configtest.php on line 406

[Mon Apr 30 09:10:22.511594 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning:  fsockopen(): unable to connect to
ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406


Using openssl s_client and specifying the exact certificates and keys
as are provided in the SM virtual server definition I get this:

# export PKIDIR='/usr/local/etc/pki/tls'
# openssl s_client \
  -connect inet08.hamilton.harte-lyne.ca:465 \
  -CAfile $PKIDIR/certs/ca-bundle.crt \
  -cert $PKIDIR/certs/ca.harte-lyne.hamilton.squirrelmail.crt \
  -key $PKIDIR/private/ca.harte-lyne.hamilton.squirrelmail.key

CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited,
OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L =
Hamilton
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
 0 s:/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data
Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca
   i:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
 1 s:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
   i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
 2 s:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
   i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
---
Server certificate
-----BEGIN CERTIFICATE-----
MIILJTCCCQ2gAwIBAgIEIBYALTANBgkqhkiG9w0BAQ0FADCBwDEbMBkGA1UEAxQS
. . .
q4rj6MY5H4mGKSDOnLegFan/5JJgk+JJBKWR1ft8scU0xxkLlIaipEm2XMFvDAam
S27LzQwvqcNv1d8Y2uEazAG1WtM0BgMzdA==
-----END CERTIFICATE-----
subject=/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data
Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca
issuer=/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte &
Lyne Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
---
Acceptable client certificate CA names
. . .
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign,
Inc. - For authorized use only/CN=VeriSign Universal Root
Certification Authority

/C=US/O=VISA/OU=Visa International Service Association/CN=Visa
eCommerce Root

/C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp
Global Certification Authority

/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca

/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked
Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton

/CN=CA HLL ISSUER 01/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca

/CN=CA HLL ROOT/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca

Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 28952 bytes and written 3647 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
21C8AC15523362B10D94F2248C7055B05147E423DCC6BA010023041552C4439C
    Session-ID-ctx:
    Master-Key:
B7B94158F3EEFB1FB71A8F4367FB2E0BC61E483BD2072E24D9C6E974A2F84EB9AFC3A17F11A6BC5C6830ABD01BDCF41E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f8 9d 58 d4 76 a9 d3 b2-f4 e6 82 31 de 23 d7 11 . . .
    Start Time: 1525101722
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
220 inet08.hamilton.harte-lyne.ca ESMTP Postfix


As demonstrated above, I can connect to SMTP using the same
certificates and keys as configured for Squirrelmail, as shown below:

. . .
SSLCertificateFile \
    /usr/local/etc/pki/tls/certs/ca.harte-lyne.hamilton.squirrelmail.crt

SSLCertificateKeyFile \
    /usr/local/etc/pki/tls/private/ca.harte-lyne.hamilton.squirrelmail.key

SSLCACertificateFile \
    /usr/local/etc/pki/tls/certs/ca-bundle.crt
. . .
# SSLVerifyClient options: 'none' - 'optional_no_ca' - 'optional' -
'require'
SSLVerifyClient optional
SSLVerifyDepth  10

The socket error report shows up on searches as being related to a php
configuration issue for Windows.  But I see no obvious problem with
the PHP install on the SM host and no provision for explicitly
configuring openssl in php.ini.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
-----
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
[Index of Archives]     [Video For Linux]     [Yosemite News]     [Yosemite Photos]     [gtk]     [KDE]     [Cyrus SASL]     [Gimp on Windows]     [Steve's Art]     [Webcams]

  Powered by Linux