James B. Byrne via freebsd-questions
2018-04-30 14:29:40 UTC
I am trying to get a Squirrelmail-1.4.23, running on FreeBSD-11.1
under Apache-2.4.33, to connect to our existing Cyrus-IMAP and SMTP
services using TLS. Examination of the web service log files for ssh
reveals these messages:
[Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): SSL operation failed
with code 1. OpenSSL Error messages:\nerror:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed in
/usr/local/www/squirrelmail/src/configtest.php on line 406
[Mon Apr 30 09:10:22.510311 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): Failed to enable
crypto in /usr/local/www/squirrelmail/src/configtest.php on line 406
[Mon Apr 30 09:10:22.511594 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): unable to connect to
ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406
Now, if I connect to inet08.hamilton.harte-lyne.ca:465 using openssl
s_client I see this:
openssl s_client -connect inet08.hamilton.harte-lyne.ca:465
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited,
OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L =
Hamilton
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data
Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca
i:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
1 s:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
2 s:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
. . .
/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked
Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
/CN=CA HLL ISSUER 01/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca
/CN=CA HLL ROOT/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 26264 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
E7DE228999475FBD23FB0B22AF334B6052C7BAA6355AAE7829D3C703762B7E43
Session-ID-ctx:
Master-Key:
45424D86AE35120A190A5B7ECDA7F75D769A0CE0B5A59A051D8B87FCF94158A680F0F08533447B65DE4577EAA4422546
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
. . .
Start Time: 1525097083
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 inet08.hamilton.harte-lyne.ca ESMTP Postfix
At which point I can manually issue an EHLO and connect.
This indicates to me that the issue lies in one or more configuration
issues relating to Apache-2.4, PHP-5.6 and Squirrelmail.
The Squirrelmail SMTP and IMAP configurations of the service having
problems are identical to those used by our existing and fully
functioning Squirrelmail system.
The message
PHP Warning: fsockopen(): unable to connect to
ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406
refers to this line of code:
/usr/local/www/squirrelmail/src/configtest.php
405 $stream = fsockopen(
($use_smtp_tls?'ssl://':'').$smtpServerAddress, $smtpPort,
406 $errorNumber, $errorString);
Which to me indicates that the issue is the call to fsockopen is the
real issue. Researching this error leads to multiple reports of a
php.ini configuration issue, but always with respect to MiscoSoft
Windows.
I have verified that the necessary php module is installed:
# pkg search openssl | grep php
php56-openssl-5.6.35 The openssl shared extension for php
php70-openssl-7.0.29 The openssl shared extension for php
php71-openssl-7.1.16 The openssl shared extension for php
php72-openssl-7.2.4 The openssl shared extension for php
# pkg info php56-openssl
php56-openssl-5.6.35
Name : php56-openssl
Version : 5.6.35
Installed on : Wed Apr 11 10:36:37 2018 EDT
. . .
Other than for Windows systems there seem to be no specific
configuration options for openssl inside /usr/local/etc/php.ini.
Likewise, the contents of /usr/local/etc/apache24/Includes/php.conf
make no reference to openssl
Has anyone any ideas on how to solve this issue?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:***@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
under Apache-2.4.33, to connect to our existing Cyrus-IMAP and SMTP
services using TLS. Examination of the web service log files for ssh
reveals these messages:
[Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): SSL operation failed
with code 1. OpenSSL Error messages:\nerror:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed in
/usr/local/www/squirrelmail/src/configtest.php on line 406
[Mon Apr 30 09:10:22.510311 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): Failed to enable
crypto in /usr/local/www/squirrelmail/src/configtest.php on line 406
[Mon Apr 30 09:10:22.511594 2018] [:error] [pid 75098] [client
192.168.209.44:36022] PHP Warning: fsockopen(): unable to connect to
ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406
Now, if I connect to inet08.hamilton.harte-lyne.ca:465 using openssl
s_client I see this:
openssl s_client -connect inet08.hamilton.harte-lyne.ca:465
CONNECTED(00000003)
depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited,
OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L =
Hamilton
verify error:num=19:self signed certificate in certificate chain
---
Certificate chain
0 s:/CN=inet08.hamilton.harte-lyne.ca/OU=Networked Data
Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=hamilton/DC=harte-lyne/DC=ca
i:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
1 s:/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
2 s:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
i:/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne
Limited/OU=Networked Data
Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
. . .
/CN=CA_HLL_ISSUER_2016/OU=Networked Data Services/O=Harte & Lyne
Limited/L=Hamilton/ST=Ontario/C=CA/DC=harte-lyne/DC=ca
/CN=CA_HLL_ROOT_2016/ST=Ontario/O=Harte & Lyne Limited/OU=Networked
Data Services/C=CA/DC=harte-lyne/DC=ca/L=Hamilton
/CN=CA HLL ISSUER 01/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca
/CN=CA HLL ROOT/OU=Networked Data Services/O=Harte & Lyne
Limited/C=CA/ST=Ontario/L=Hamilton/DC=harte-lyne.ca
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms:
RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 26264 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
E7DE228999475FBD23FB0B22AF334B6052C7BAA6355AAE7829D3C703762B7E43
Session-ID-ctx:
Master-Key:
45424D86AE35120A190A5B7ECDA7F75D769A0CE0B5A59A051D8B87FCF94158A680F0F08533447B65DE4577EAA4422546
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
. . .
Start Time: 1525097083
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
220 inet08.hamilton.harte-lyne.ca ESMTP Postfix
At which point I can manually issue an EHLO and connect.
This indicates to me that the issue lies in one or more configuration
issues relating to Apache-2.4, PHP-5.6 and Squirrelmail.
The Squirrelmail SMTP and IMAP configurations of the service having
problems are identical to those used by our existing and fully
functioning Squirrelmail system.
The message
PHP Warning: fsockopen(): unable to connect to
ssl://inet08.hamilton.harte-lyne.ca:465 (Unknown error) in
/usr/local/www/squirrelmail/src/configtest.php on line 406
refers to this line of code:
/usr/local/www/squirrelmail/src/configtest.php
405 $stream = fsockopen(
($use_smtp_tls?'ssl://':'').$smtpServerAddress, $smtpPort,
406 $errorNumber, $errorString);
Which to me indicates that the issue is the call to fsockopen is the
real issue. Researching this error leads to multiple reports of a
php.ini configuration issue, but always with respect to MiscoSoft
Windows.
I have verified that the necessary php module is installed:
# pkg search openssl | grep php
php56-openssl-5.6.35 The openssl shared extension for php
php70-openssl-7.0.29 The openssl shared extension for php
php71-openssl-7.1.16 The openssl shared extension for php
php72-openssl-7.2.4 The openssl shared extension for php
# pkg info php56-openssl
php56-openssl-5.6.35
Name : php56-openssl
Version : 5.6.35
Installed on : Wed Apr 11 10:36:37 2018 EDT
. . .
Other than for Windows systems there seem to be no specific
configuration options for openssl inside /usr/local/etc/php.ini.
Likewise, the contents of /usr/local/etc/apache24/Includes/php.conf
make no reference to openssl
Has anyone any ideas on how to solve this issue?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:***@Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3