Message original
Sujet : Re: [SM-USERS] Squirrelmail does not connect to SSL IMAP server
after upgrading to PHP 5.6
De : Dmitry Katsubo
Pour : Squirrelmail User Support Mailing List
Copie à : Julien Métairie
Date : 03/01/2016 22:05
> On 26/12/2015 22:52, Paul Lesniewski wrote:
>> On 12/14/15, Julien Métairie wrote:
>>> [...]
>>> The following is logged on the web server running Squirrelmail:
>>>
>>> PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL
>>> Error message:\nerror:14090086:SSL
>>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in
>>> /usr/share/squirrelmail/src/configtest.php on line 431.
>>>
>>> And on the IMAP mail server:
>>>
>>> couriertls: accept: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
>>> alert unknown ca
>>>
>>> As far as I understand, PHP 5.6 enforces certificate checking. SM allows
>>> tweaking this checks with $imap_stream_options, but I can't manage to
>>> use it. For testing purpose, I added the following to
>>> /etc/squirrelmail/config_local.php :
>>>
>>> $imap_stream_options = array(
>>>
>>> 'ssl' => array(
>>>
>>> 'verify_peer' => false,
>>>
>>> ),
>>>
>>> );
>>>
>>> But there is no change with or without this option. I also tried to turn
>>> 'allow_self_signed' on, without success.
>>
>> You might insert something like this:
>>
>> sm_print_r('STREAM OPTIONS:', $stream_options);
>>
>> Around line 763 of functions/imap_general.php
>>
>> Make sure your settings are being used.
>>
>> Otherwise, it sounds a little to me like your PHP installation isn't
>> functioning properly. Check here for the available options:
>>
>> http://php.net/manual/en/context.ssl.php
>>
Line 763 is in the middle of function sqimap_get_delimiter() (probably
because we are running different versions of SM), I see no point
checking stream options here.
I tracked stream options in sqimap_login(), just before fsockopen(), but
$stream_options and $imap_stream_options were *not* defined.
Moreover, it appears that no context is passed to fsockopen() :
$imap_stream = @fsockopen($imap_server_address, $imap_port,
$error_number, $error_string, 15);
As far as I understand, stream_socket_client() should be used instead of
fsockopen() and a context should be passed as 6th argument. That's why I
tried the following :
$imap_stream_options = array(
'tls' => array(
'verify_peer' => false,
),
'ssl' => array(
'verify_peer' => false,
),
);
$context = stream_context_create($imap_stream_options);
$imap_stream = @stream_socket_client($imap_server_address . ":" .
$imap_port, $error_number, $error_string, 15, STREAM_CLIENT_CONNECT,
$context) or die ("$php_errormsg");
Here is the result :
stream_socket_client(): unable to connect to tls://192.168.218.12:993
(Unknown error)
No luck !
>
> I had the same problem and I have created a patch (090_ssl.dpatch) for
> squirrelmail v1.5.1. If you don't use self-signed certificate on Cyrus,
> then you don't need allow_self_signed=true.
>
> I also attach few other patches (which perhaps are already this way or
> another present in upstream):
>
> 080_global.php_session.dpatch: Fixes PHP warning about session usage.
> 081_mail_fetch.functions.php_hex2bin.dpatch: hex2bin() function is
> present in PHP
> 090_ssl.dpatch: Fixes SSL and adds support for self-signed certificates.
> 091_abook_preg.dpatch: Fixes PHP warning concerning eregi()
> 099_warnings.dpatch: Fixes other PHP warnings (I am not sure I've done
> it right)
>
Thank you for this work. Unfortunately, these patchs are designed for SM
1.5, whereas I run Squirrelmail 1.4 (which seems to be very different).
I didn't manage to make any suitable patch for SM 1.4.
That said, you may want to push them to SourceForge repos. :)
Regards,
Julien
--
-
squirrelmail-users mailing list
Posting guidelines: http://squirrelmail.org/postingguidelines
List address: squirrelmail-users@lists.sourceforge.net
List archives: http://news.gmane.org/gmane.mail.squirrelmail.user
List info (subscribe/unsubscribe/change options):
https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
