On Mon, April 30, 2018 3:46 pm, James B. Byrne wrote: > > On Sat, April 28, 2018 14:45, Paul Lesniewski wrote: > >> >> Off the top of my head, I'd suggest trying to write a small POC >> script to see if you can make the connection without any other >> code in the way. But it does seem clear that the IMAP server does >> not in fact have the CA's certificate, despite you having said >> you copied it over. OTOH, the SquirrelMail instance might be >> sending a different certificate than you expected. Maybe you can >> check to see if you can get Cyrus to dump out what certificates >> are actually being exchanged. >> > > I am having a similar problem with SMTP now and am no longer seeing > the IMAP error reported in configtest.php. That does not mean the > problem is solved just that presently it is no longer shown. Errors don't stop being reported unless they are solved or something changed. If you fixed it for IMAP, go with the same changes for SMTP. > This is what I have traced things to wrt SM on the new host: > > [Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client > 192.168.209.44:36022] PHP Warning: fsockopen(): SSL operation failed > with code 1. OpenSSL Error messages:\nerror:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed in > /usr/local/www/squirrelmail/src/configtest.php on line 406 > > [Mon Apr 30 09:10:22.510311 2018] [:error] [pid 75098] [client > 192.168.209.44:36022] PHP Warning: fsockopen(): Failed to enable > crypto in /usr/local/www/squirrelmail/src/configtest.php on line 406 > > [Mon Apr 30 09:10:22.511594 2018] [:error] [pid 75098] [client > 192.168.209.44:36022] PHP Warning: fsockopen(): unable to connect to > ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in > /usr/local/www/squirrelmail/src/configtest.php on line 406 > > > Using openssl s_client and specifying the exact certificates and keys > as are provided in the SM virtual server definition I get this: > > # export PKIDIR='/usr/local/etc/pki/tls' > # openssl s_client \ > -connect inet08.hamilton.harte-lyne.ca:465 \ > -CAfile $PKIDIR/certs/ca-bundle.crt \ > -cert $PKIDIR/certs/ca.harte-lyne.hamilton.squirrelmail.crt \ > -key $PKIDIR/private/ca.harte-lyne.hamilton.squirrelmail.key > > CONNECTED(00000003) > depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, > OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = > Hamilton > verify error:num=19:self signed certificate in certificate chain > --- > Certificate chain > 0 s:/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data > Services/O=Harte & Lyne > Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca > i:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne > Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca > 1 s:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne > Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca > i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne > Limited/OU=Networked Data > Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton > 2 s:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne > Limited/OU=Networked Data > Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton > i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne > Limited/OU=Networked Data > Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIILJTCCCQ2gAwIBAgIEIBYALTANBgkqhkiG9w0BAQ0FADCBwDEbMBkGA1UEAxQS > . . . > q4rj6MY5H4mGKSDOnLegFan/5JJgk+JJBKWR1ft8scU0xxkLlIaipEm2XMFvDAam > S27LzQwvqcNv1d8Y2uEazAG1WtM0BgMzdA== > -----END CERTIFICATE----- > subject=/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data > Services/O=Harte & Lyne > Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca > issuer=/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & > Lyne Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca > --- > Acceptable client certificate CA names > . . . > /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2008 VeriSign, > Inc. - For authorized use only/CN=VeriSign Universal Root > Certification Authority > > /C=US/O=VISA/OU=Visa International Service Association/CN=Visa > eCommerce Root > > /C=US/OU=www.xrampsecurity.com/O=XRamp Security Services Inc/CN=XRamp > Global Certification Authority > > /CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne > Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca > > /CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked > Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton > > /CN=CA HLL ISSUER 01/OU=Networked Data Services/O=Harte & Lyne > Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca > > /CN=CA HLL ROOT/OU=Networked Data Services/O=Harte & Lyne > Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca > > Client Certificate Types: RSA sign, DSA sign, ECDSA sign > Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 > Shared Requested Signature Algorithms: > RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 > Peer signing digest: SHA512 > Server Temp Key: ECDH, P-256, 256 bits > --- > SSL handshake has read 28952 bytes and written 3647 bytes > --- > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 4096 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated > SSL-Session: > Protocol : TLSv1.2 > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > Session-ID: > 21C8AC15523362B10D94F2248C7055B05147E423DCC6BA010023041552C4439C > Session-ID-ctx: > Master-Key: > B7B94158F3EEFB1FB71A8F4367FB2E0BC61E483BD2072E24D9C6E974A2F84EB9AFC3A17F11A6BC5C6830ABD01BDCF41E > Key-Arg : None > PSK identity: None > PSK identity hint: None > SRP username: None > TLS session ticket lifetime hint: 7200 (seconds) > TLS session ticket: > 0000 - f8 9d 58 d4 76 a9 d3 b2-f4 e6 82 31 de 23 d7 11 . . . > Start Time: 1525101722 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) That's likely your problem - SquirrelMail needs the homebrewed CA or you need to adjust the verify options. > --- > 220 inet08.hamilton.harte-lyne.ca ESMTP Postfix > > > As demonstrated above, I can connect to SMTP using the same > certificates and keys as configured for Squirrelmail, as shown below: I'm confused - you say you've configured cert/key for SquirrelMail but below looks like Apache style configuration and below that, you state that you aren't aware of how to configure the PHP side. I will guess that you are not using $imap_stream_options and $smtp_stream_options in config/config_local.php Sorry it's not documented in 1.4.x but it works the same as 1.5.x -- please see: https://sourceforge.net/p/squirrelmail/code/HEAD/tree/trunk/squirrelmail/config/config_local.example.php https://secure.php.net/manual/en/context.ssl.php > . . . > SSLCertificateFile \ > /usr/local/etc/pki/tls/certs/ca.harte-lyne.hamilton.squirrelmail.crt > > SSLCertificateKeyFile \ > /usr/local/etc/pki/tls/private/ca.harte-lyne.hamilton.squirrelmail.key > > SSLCACertificateFile \ > /usr/local/etc/pki/tls/certs/ca-bundle.crt > . . . > # SSLVerifyClient options: 'none' - 'optional_no_ca' - 'optional' - > 'require' > SSLVerifyClient optional > SSLVerifyDepth 10 > > The socket error report shows up on searches as being related to a php > configuration issue for Windows. But I see no obvious problem with > the PHP install on the SM host and no provision for explicitly > configuring openssl in php.ini. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ----- squirrelmail-users mailing list Posting guidelines: http://squirrelmail.org/postingguidelines List address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx List archives: http://news.gmane.org/gmane.mail.squirrelmail.user List info (subscribe/unsubscribe/change options): https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
