SSL certificate woes with Roundcube 1.3 and PHP 5.6

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the
following in my logs:

  Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error:
  Login failed for username from [ip-address]. Could not connect
  to ssl://imap.some.domain:993: Unknown reason in
  /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php
  on line 196 (POST /rcm/?_task=login&_action=login)

Outgoing SMTP TLS connections from Roundcube are affected, too. This is
probably caused by how PHP 5.6 verifies certificates. I have tried
configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or
openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate
chains, but no dice. I am positive that the IMAP and SMTP servers
(Dovecot and Postfix, respectively) are configured correctly, because
MUAs like Thunderbird or iOS Mail connect successfully.

When I include the following workaround in config.inc.php Roundcube can
connect to the IMAP server:

  $config['default_host'] = 'ssl://imap.some.domain';
  $config['imap_conn_options'] = array(
    'ssl' => array(
      'verify_peer' => false,
    ),
  );

Does anybody here know how to debug and fix this? Other people seem to
have this problem as well, but disabling peer verification was the only
recommendation I could find so far, and for obvious reasons I would like
to avoid that.

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Davide Perini
I had the same problems until a saint suggested me to stop using self
signed certificates and start using Let's Encrypt.
It's completely free and you can create a strong signed certificates in
minutes.
There are also several ways to create an automatic renewal process.

I switched from self signed certificates to strong certificate signed by an
authority for free in less than an hour.

This guide has everything you need to know.
https://www.linode.com/docs/security/ssl/install-lets-encrypt-to-create-ssl-certificates

Bye
Davide




In data 10 agosto 2017 3:46:12 PM Ralph Seichter
<[hidden email]> ha scritto:

> With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the
> following in my logs:
>
>   Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error:
>   Login failed for username from [ip-address]. Could not connect
>   to ssl://imap.some.domain:993: Unknown reason in
>   /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php
>   on line 196 (POST /rcm/?_task=login&_action=login)
>
> Outgoing SMTP TLS connections from Roundcube are affected, too. This is
> probably caused by how PHP 5.6 verifies certificates. I have tried
> configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or
> openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate
> chains, but no dice. I am positive that the IMAP and SMTP servers
> (Dovecot and Postfix, respectively) are configured correctly, because
> MUAs like Thunderbird or iOS Mail connect successfully.
>
> When I include the following workaround in config.inc.php Roundcube can
> connect to the IMAP server:
>
>   $config['default_host'] = 'ssl://imap.some.domain';
>   $config['imap_conn_options'] = array(
>     'ssl' => array(
>       'verify_peer' => false,
>     ),
>   );
>
> Does anybody here know how to debug and fix this? Other people seem to
> have this problem as well, but disabling peer verification was the only
> recommendation I could find so far, and for obvious reasons I would like
> to avoid that.
>
> -Ralph
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
On 10.08.17 19:00, Davide Perini wrote:

> I had the same problems until a saint suggested me to stop using self
> signed certificates and start using Let's Encrypt. It's completely free
> and you can create a strong signed certificates in minutes.

Thanks, I am aware of Let's Encrypt, but the problems I described occur
with certificates issued by both Let's Encrypt and by my own CA (not
self-signed certs, but a real CA). I guess I should have mentioned that.

I included my own CA certificates and those provided by Let's Encrypt in
my Roundcube server's keychain, but it just does not work as expected. I
am fairly certain it is related to PHP 5.6 in particular, as I described
earlier.

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Michael Grimm-2
In reply to this post by Ralph Seichter
Ralph Seichter <[hidden email]> wrote:

> With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the
> following in my logs:
>
> Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error:
> Login failed for username from [ip-address]. Could not connect
> to ssl://imap.some.domain:993: Unknown reason in
> /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php
> on line 196 (POST /rcm/?_task=login&_action=login)
>
> Outgoing SMTP TLS connections from Roundcube are affected, too. This is
> probably caused by how PHP 5.6 verifies certificates. I have tried
> configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or
> openssl.capath=/etc/ssl/certs in php.ini with world-readable certificate
> chains, but no dice. I am positive that the IMAP and SMTP servers
> (Dovecot and Postfix, respectively) are configured correctly, because
> MUAs like Thunderbird or iOS Mail connect successfully.
>
> When I include the following workaround in config.inc.php Roundcube can
> connect to the IMAP server:
>
> $config['default_host'] = 'ssl://imap.some.domain';
> $config['imap_conn_options'] = array(
> 'ssl' => array(
>  'verify_peer' => false,
> ),
> );
>
> Does anybody here know how to debug and fix this? Other people seem to
> have this problem as well, but disabling peer verification was the only
> recommendation I could find so far, and for obvious reasons I would like
> to avoid that.

I did struggle for a long time as well ;-)

Here's my "HOWTO" in config.inc.php, and please note, that my roundcube/nginx and both postfix/dovecot(10.10.10.2) run in different FreeBSD jails. Thus you might need to stick with localhost:

// GRIMM (howto)
//
//      ssl:    explicit SSL
//      tls:    implicit STARTTLS
//
//      peer_name:
//              openssl s_client -connect 10.10.10.2:993 will show Common Name (CN)
//              of peer's certificate, and that name will become peer_name
//
//      IMPORTANT: pkg install ca_root_nss
//
// GRIMM (modified from 'localhost')
$config['default_host'] = 'ssl://10.10.10.2';
// GRIMM (end)

// GRIMM (added)
$config['imap_conn_options'] = array(
    'ssl' => array(
            'peer_name' => 'my-peer-name-shown-from-command-above',
    ),
);
// GRIMM (end)

// TCP port used for IMAP connections
// GRIMM (modified from 143)
$config['default_port'] = 993;
// GRIMM (end)

// SMTP server host (for sending mails).
// GRIMM (modified from '')
$config['smtp_server'] = 'tls://10.10.10.2';
// GRIMM (end)

// GRIMM (added)
$config['smtp_conn_options'] = array(
    'ssl' => array(
            'peer_name' => 'my-peer-name-shown-from-command-above',
    ),
);
// GRIMM (end)

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
// GRIMM (modified from 25)
$config['smtp_port'] = 587;
// GRIMM (end)


HTH and regards,
Michael



_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
On 10.08.17 19:50, Michael Grimm wrote:

> Here's my "HOWTO" in config.inc.php, and please note, that my
> roundcube/nginx and both postfix/dovecot(10.10.10.2) run in different
> FreeBSD jails. Thus you might need to stick with localhost [...]

I verified that the peer name matches my

  $config['default_host'] = 'ssl://imap.some.domain';

entry, and I also tested your

  'peer_name' => 'imap.some.domain'

suggestion, but still no workee. Using localhost is not an option,
because Roundcube runs on server A and Dovecot/Postfix on server B
(namely imap.some.domain). Also, if I could use localhost, I would
not mind turning off peer verification.

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Davide Perini
In reply to this post by Ralph Seichter
I am using PHP 5.6 and I don't have this problem so no,
I don't think that this is your problem.
I'm pretty sure that the problem resides in your postfix/dovecot
configuration, if you use those.

If you use postfix/dovecot I can tell you where to look.

Bye,
Davide


Il 10/08/2017 19.30, Ralph Seichter ha scritto:

> On 10.08.17 19:00, Davide Perini wrote:
>
>> I had the same problems until a saint suggested me to stop using self
>> signed certificates and start using Let's Encrypt. It's completely free
>> and you can create a strong signed certificates in minutes.
> Thanks, I am aware of Let's Encrypt, but the problems I described occur
> with certificates issued by both Let's Encrypt and by my own CA (not
> self-signed certs, but a real CA). I guess I should have mentioned that.
>
> I included my own CA certificates and those provided by Let's Encrypt in
> my Roundcube server's keychain, but it just does not work as expected. I
> am fairly certain it is related to PHP 5.6 in particular, as I described
> earlier.
>
> -Ralph
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
On 11.08.17 00:00, Davide Perini wrote:

> I'm pretty sure that the problem resides in your postfix/dovecot
> configuration, if you use those.

Sorry, but no. As I stated in my OP, other clients can access Dovecot
and Postfix just fine (tested with iOS Mail, Apple Mail, Thunderbird on
macOS and Windows). Roundcube 1.3 with PHP 5.6 is the only combination
causing problems, and since Roundcube uses PHP to establish IMAP
connections and I can connect fine if I disable PHP peer verification,
the cause is definitely that verification mechanism failing on my
Roundcube server. The crux is to figure out why it fails.

Google confirms that other people experienced similar problems after
updating to PHP 5.6, which enabled peer verification as a default
setting (see http://php.net/manual/en/migration56.openssl.php).

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Davide Perini
If you use correct certificates with correct postfix dovecot configuration
you must be able to do peer verification.
If you are not able to do it, you don't have right certificates or right
configuration.
The wrong config may resides in both postfix/dovecot files or in the
roundcube itself.

Thunderbird ignore peer verification on both IMAP and SMTP.

Bye


In data 11 agosto 2017 00:24:52 Ralph Seichter
<[hidden email]> ha scritto:

> On 11.08.17 00:00, Davide Perini wrote:
>
>> I'm pretty sure that the problem resides in your postfix/dovecot
>> configuration, if you use those.
>
> Sorry, but no. As I stated in my OP, other clients can access Dovecot
> and Postfix just fine (tested with iOS Mail, Apple Mail, Thunderbird on
> macOS and Windows). Roundcube 1.3 with PHP 5.6 is the only combination
> causing problems, and since Roundcube uses PHP to establish IMAP
> connections and I can connect fine if I disable PHP peer verification,
> the cause is definitely that verification mechanism failing on my
> Roundcube server. The crux is to figure out why it fails.
>
> Google confirms that other people experienced similar problems after
> updating to PHP 5.6, which enabled peer verification as a default
> setting (see http://php.net/manual/en/migration56.openssl.php).
>
> -Ralph
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Michael Grimm-2
In reply to this post by Ralph Seichter
Am 2017-08-10 20:21, schrieb Ralph Seichter:

> I verified that the peer name matches my
>
>   $config['default_host'] = 'ssl://imap.some.domain';
>
> entry, and I also tested your
>
>   'peer_name' => 'imap.some.domain'
>
> suggestion, but still no workee.

I had had to install FreeBSD's ca_root_nss port [1] as well. Do you have
those root certificates in place at your host running roundcube?

Regards,
Michael

[1] port description: Root certificates from certificate authorities
included in the Mozilla NSS library and thus in Firefox and Thunderbird.
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
On 11.08.2017 09:40, Michael Grimm wrote:

> I had had to install FreeBSD's ca_root_nss port [1] as well. Do you
> have those root certificates in place at your host running roundcube?

The Gentoo equivalent package is app-misc/ca-certificates, and yes, it
is installed. Additionally, I manually placed certs for my own CA and
for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is
Gentoo's recommended method of providing additional CA information. My
php.ini contains

  openssl.cafile=/etc/ssl/certs/ca-certificates.crt

which is generated by Gentoo and contains all certs in one big file (See
"man update-ca-certificates").


What I have done today is to rebuild OpenSSL, PHP and even Apache, in
that order. It seemed a long shot, but I had run out of ideas. Lo and
behold, rebuilding has done the trick! A simple

  $config['default_host'] = 'ssl://imap.some.domain';

without any additional options is now sufficient, and peer verification
obviously works, as I also verified using

  openssl s_client -showcerts -connect imap.some.domain:993

I'm obviously glad, but still, colour me surprised. :-P

-Ralph
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Ralph Seichter
In reply to this post by Davide Perini
On 11.08.2017 09:26, Davide Perini wrote:

> Thunderbird ignore peer verification on both IMAP and SMTP.

Nope. For a test, set up foo.some.domain and bar.some.domain as CNAME
records for imap.some.domain, with the server certificate containing
both imap.some.domain and foo.some.domain, but not bar.some.domain.

The attempt to connect with an IMAP server name of bar.some.domain, will
cause Thunderbird to open an "Add Security Exception" dialog, with the
complaint "Wrong Site - The certificate belongs to a different site,
which could mean that someone is trying to impersonate this site." (see
attached image). That's the result of peer verification.

-Ralph

_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users

thunderbird.png (18K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL certificate woes with Roundcube 1.3 and PHP 5.6

Maarten
In reply to this post by Ralph Seichter
I'm using php56 with roundcube(1.3.0) and got no problems with being
able to send mail via roundcube.

imap settings:

$config['imap_conn_options'] = array(
   'ssl'         => array(
      'verify_peer'  => true,
      'verify_depth' => 3,
      'cafile'       => '/etc/pki/tls/certs/combined.pem',
    ),
  );

smtp settings:

  $config['smtp_conn_options'] = array(
    'ssl'         => array(
      'verify_peer'  => true,
      'verify_depth' => 3,
    ),
  );

Hope that helps?

Cheers!

Maarten



On 2017-08-10 15:38, Ralph Seichter wrote:

> With Roundcube 1.3.0 and PHP 5.6.31, I keep seeing errors like the
> following in my logs:
>
>   Aug 10 11:00:31 myhost roundcube: <0ho1kdmf> IMAP Error:
>   Login failed for username from [ip-address]. Could not connect
>   to ssl://imap.some.domain:993: Unknown reason in
>   /var/www/roundcubemail/program/lib/Roundcube/rcube_imap.php
>   on line 196 (POST /rcm/?_task=login&_action=login)
>
> Outgoing SMTP TLS connections from Roundcube are affected, too. This is
> probably caused by how PHP 5.6 verifies certificates. I have tried
> configuring openssl.cafile=/etc/ssl/certs/ca-certificates.crt and/or
> openssl.capath=/etc/ssl/certs in php.ini with world-readable
> certificate
> chains, but no dice. I am positive that the IMAP and SMTP servers
> (Dovecot and Postfix, respectively) are configured correctly, because
> MUAs like Thunderbird or iOS Mail connect successfully.
>
> When I include the following workaround in config.inc.php Roundcube can
> connect to the IMAP server:
>
>   $config['default_host'] = 'ssl://imap.some.domain';
>   $config['imap_conn_options'] = array(
>     'ssl' => array(
>       'verify_peer' => false,
>     ),
>   );
>
> Does anybody here know how to debug and fix this? Other people seem to
> have this problem as well, but disabling peer verification was the only
> recommendation I could find so far, and for obvious reasons I would
> like
> to avoid that.
>
> -Ralph
> _______________________________________________
> Roundcube Users mailing list
> [hidden email]
> http://lists.roundcube.net/mailman/listinfo/users
_______________________________________________
Roundcube Users mailing list
[hidden email]
http://lists.roundcube.net/mailman/listinfo/users
Loading...