You are not logged in.

#1 2015-01-31 22:39:30

pgoetz
Member
From: Austin, Texas
Registered: 2014-02-21
Posts: 355

[SOLVED] Roundcube doesn't appear to work with PHP 5.6

Edit: I got some help from someone on the Roundcube list.  It turns out my problem involved some Roundcube configuration options that don't seem to be documented.  See the last comment in this thread for the solution.  I will update the Roundcube wiki page to prevent others from having to go through this.

My setup is postfix for SMTP and cyrus for IMAP.  The cyrus IMAP server is set up for plain text authentication over STARTTLS (using a self-signed SSL certificate)

I'm pretty sure I've configured Roundcube correctly, however, I can't get it to authenticate.  Looking in the roundcube error log, I see

[31-Jan-2015 10:27:14 America/Chicago] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap_generic.php on line 915
[31-Jan-2015 10:27:14 -0600]: IMAP Error: Login failed for pgoetz@episcopalarchives.org from 67.198.113.124. Unable to negotiate TLS in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login?_task=login&_action=login)

Googling for a solution, I found this stackoverflow thread suggesting that this is a problem with PHP 5.6 not being able to find self-signed SSL certificates:

http://stackoverflow.com/questions/2682 … ify-failed

The roundcube wiki page tells me nothing (in fact, is quite incomplete; I've already made several changes to bring it up to speed a bit).

Is anyone else successfully using Roundcube with PHP 5.6.5 and an IMAP server that only allows STARTTLS connections using a self-signed certificate?

Last edited by pgoetz (2015-02-03 16:30:58)

Offline

#2 2015-02-01 09:59:26

Spider.007
Member
Registered: 2004-06-20
Posts: 1,175

Re: [SOLVED] Roundcube doesn't appear to work with PHP 5.6

PHP uses OpenSSL which uses the system's trusted certificates. Did you try adding your own CA to this? It also seems you mis-interpret the situation; PHP should not trust your self-signed certificate because it provides no security benefit if it would.

Offline

#3 2015-02-01 10:44:35

pgoetz
Member
From: Austin, Texas
Registered: 2014-02-21
Posts: 355

Re: [SOLVED] Roundcube doesn't appear to work with PHP 5.6

Spider.007 wrote:

PHP uses OpenSSL which uses the system's trusted certificates. Did you try adding your own CA to this?

Yeah, I did.  I should have mentioned that I can access the mail server using Thunderbird, and don't have any problems.

OK, then the question becomes is it even possible to use any PHP-based mailer on a machine which only allows STARTTLS connections and uses a self-signed certificate?  I don't think it's that uncommon to use self-signed certificates in situations like this where you're not worried so much about man in the middle attacks.

Offline

#4 2015-02-03 16:40:08

pgoetz
Member
From: Austin, Texas
Registered: 2014-02-21
Posts: 355

Re: [SOLVED] Roundcube doesn't appear to work with PHP 5.6

So, in order to get Roundcube to use TLS authentication with a self-signed certificate, you must configure $config['imap_conn_options'] in /etc/webapps/roundcubemail/config/config.inc.php.  You must also make sure to set $config['default_host'] using a tls:// prefix, as illustrated below.

$config['default_host'] = 'tls://mail.my_domain.org';

$config['imap_conn_options'] = array(
    'ssl' => array(
      'verify_peer'       => true,
      'allow_self_signed' => true,
      'peer_name'         => 'mail.my_domain.org',
      'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
      'cafile'  => '/etc/ssl/certs/ssl-cert-cyrus.my_domain.org.pem',
    ),
);

I'm not sure that the ciphers entry is necessary (I have the same ciphers set in /etc/cyrus/imapd.conf), but this configuration works and I've already spent too much time fiddling with this configuration.

The complete list of PHP SSL options can be found here: http://php.net/manual/en/context.ssl.php

Last edited by pgoetz (2015-02-03 16:42:02)

Offline

Board footer

Powered by FluxBB