Author Topic: [SOLVED] TLS austhentication doesn't seem to work on a PHP 5.6.5 based system  (Read 45408 times)

Offline pgoetz

  • Jr. Member
  • **
  • Posts: 10
[Edit: this issue has been resolved.  Many thanks to SKaero for pointing me in the right direction.  See final comment for solution.]

I am unable to get roundcube to authenticate users on an Arch linux system running postfix 2.11.3 and cyrus 2.4.17 with PHP 5.6.5

Plain text authentication is turned off in cyrus to improve security, so users must log in using STARTTLS on port 143.  Using, for example Thunderbird works fine, so both the smtp/imap server are working and properly configured.

Looking in the roundcube log files I get this error message when trying to log in:

Code: [Select]
[31-Jan-2015 10:27:14 America/Chicago] PHP Warning:  stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap_generic.php on line 915
[31-Jan-2015 10:27:14 -0600]: IMAP Error: Login failed for pgoetz@episcopalarchives.org from 67.198.113.124. Unable to negotiate TLS in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login?_task=login&_action=login)

Googling around for a solution, I found this discussion on stackoverflow, suggesting that the problem has to do with changes introduced in PHP 5.6

http://stackoverflow.com/questions/26827192/phpmailer-ssl3-get-server-certificatecertificate-verify-failed

Fixing this is above my PHP pay grade; I'm just trying to get a webmailer working on the server.  Can someone confirm that this is an issue with PHP 5.6 and/or suggest a fix?

Thanks!
« Last Edit: February 03, 2015, 11:14:00 AM by pgoetz »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,638
    • http://SKaero.com/
Re: TLS austhentication doesn't seem to work on a PHP 5.6.5 based system
« Reply #1 on: January 31, 2015, 08:10:00 PM »
You need to add IMAP ssl options to <RC root>/config/config.inc.php
Code: [Select]
// IMAP socket context options
// See http://php.net/manual/en/context.ssl.php
// The example below enables server certificate validation
//$config['imap_conn_options'] = array(
//  'ssl'         => array(
//     'verify_peer'  => true,
//     'verify_depth' => 3,
//     'cafile'       => '/etc/openssl/certs/ca.crt',
//   ),
// );
$config['imap_conn_options'] = null;

Offline pgoetz

  • Jr. Member
  • **
  • Posts: 10
Re: TLS austhentication doesn't seem to work on a PHP 5.6.5 based system
« Reply #2 on: February 01, 2015, 02:41:25 PM »
Awesome.  Thank you for that tip (which I couldn't find documented anywhere).  This got me closer.  I'm still not able to login, but now the error message is just an authentication failure:

Code: [Select]
[01-Feb-2015 08:29:53 -0600]: IMAP Error: Login failed for pgoetz@episcopalarchives.org from 67.198.113.124. AUTHENTICATE PLAIN: authentication failure in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login?_task=login&_action=login)

I am able to connect to the IMAP server using Thunderbird, so know this works in general.  I basically just copied the sample configuration provided:

Code: [Select]
$config['imap_conn_options'] = array(
    'ssl'         => array(
    'verify_peer'  => true,
    'verify_depth' => 3,
    'cafile'       => '/etc/ssl/certs/ssl-cert-cyrus.episcopalarchives.org.pem',
  ),
);

I did have to change the default host from
Code: [Select]
$config['default_host'] = 'tls://localhost';
to
Code: [Select]
$config['default_host'] = 'tls://mail.episcopalarchives.org';

as PHP was complaining that the CN name in the certificate didn't match "localhost".

Any thoughts on how to further debug this?

Offline pgoetz

  • Jr. Member
  • **
  • Posts: 10
Re: TLS austhentication doesn't seem to work on a PHP 5.6.5 based system
« Reply #3 on: February 01, 2015, 06:20:18 PM »
The cyrus log file provides some information:

Code: [Select]
Feb 01 12:18:37 www cyrus/imap[19521]: badlogin: www.episcopalarchives.org [216.82.212.230] PLAIN [SASL(-13): authentication failure: cross-realm login pgoetz@episcopalarchives.org denied]

I'll need to investigate why it thinks I'm trying to login using a different realm.

Offline pgoetz

  • Jr. Member
  • **
  • Posts: 10
Re: TLS austhentication doesn't seem to work on a PHP 5.6.5 based system
« Reply #4 on: February 03, 2015, 06:47:32 AM »
Nothing I try seems to work.  I got rid of the cross-realm authentication error by setting:
Code: [Select]
$config['default_host'] = 'tls://mail.episcopalarchives.org';
but now roundcube gives me this error message:

Code: [Select]
[03-Feb-2015 00:21:57 America/Chicago] PHP Warning:  stream_socket_enable_crypto(): Peer certificate CN=`mail.episcopalarchives.org' did not match expected CN=`localhost' in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap_generic.php on line 915
[03-Feb-2015 00:21:57 -0600]: IMAP Error: Login failed for pgoetz@episcopalarchives.org from 67.198.113.124. Unable to negotiate TLS in /usr/share/webapps/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 184 (POST /?_task=login?_task=login&_action=login)

Maybe roundcube doesn't support a the cipers I'm allowining?

Code: [Select]
tls_cipher_list:  TLSv1+HIGH:!aNull:@STRENGTH
No idea, but I'm about to give up and switch to horde.

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,638
    • http://SKaero.com/
Re: TLS austhentication doesn't seem to work on a PHP 5.6.5 based system
« Reply #5 on: February 03, 2015, 11:10:01 AM »
I believe you need to set peer_name to "mail.episcopalarchives.org" in the imap_conn_options.

Offline pgoetz

  • Jr. Member
  • **
  • Posts: 10
Yes, that was it!  Here is the final configuration for $config['imap_conn_options'] which worked for me:

Code: [Select]
$config['default_host'] = 'tls://mail.episcopalarchives.org';

$config['imap_conn_options'] = array(
    'ssl' => array(
      'verify_peer'       => true,
      'allow_self_signed' => true,
      'peer_name'         => 'mail.episcopalarchives.org',
      'ciphers' => 'TLSv1+HIGH:!aNull:@STRENGTH',
      'cafile'  => '/etc/ssl/certs/ssl-cert-cyrus.episcopalarchives.org.pem',
    ),
);

The last problem I had was caused because I had set $config['username_domain'] earlier while trying to get it to work and then forgot to unsent it -- this is what was giving me the cross-realm authentication error in cyrus.  You can have this option set, but then the cyrus configuration must include support for virtual domains; i.e. if these fields are set in /etc/cyrus/imapd.conf
Code: [Select]
   defaultdomain: episcopalarchives.org
   virtdomains: on

then you can still authenticate if $config['username_domain'] is set; otherwise you get a cross-realm authentication error.

Offline simfin

  • Newbie
  • *
  • Posts: 1
Hello

I've been researching and testing this issue most of the day. The problem with the above configuration (using 'verify_peer' => false, and side-stepping SSL verification) is that, although your SSL connection via PHP may be encrypted, it will be open to man-in-the-middle (MITM) attacks. http://en.wikipedia.org/wiki/Man-in-the-middle_attack

To verify your certificate use the following config in both imap_conn_options and smtp_conn_options. Note the path to your cert should be in 'local_cert' not 'cafile'.

Code: [Select]

    'ssl' => array(
          'peer_name'   => 'your.domain.com',
          'verify_peer_name'    => true,
          'capath'      => '/path/to/authority/certificates/directory' # Usually /etc/ssl/certs or /usr/lib/ssl/certs/
          'local_cert'   => '/path/to/your.domain.com.crt', # Should be a combined cert & key in pem format
          'verify_peer'            => true,
    ),


Note: this is really only needed on servers running PHP 5.6. See the following links:

SSL changes in PHP 5.6: http://php.net/manual/en/migration56.openssl.php

SSL context options in PHP: http://php.net/manual/en/context.ssl.php
« Last Edit: February 12, 2015, 10:33:37 PM by simfin »

Offline UncleIS

  • Newbie
  • *
  • Posts: 1
Good day,

I registered just to thank you for the explanation of the issue. I spent quite a time googling around before this thread was found. Thanks to it I was able to resolve the issue!

Hello

I've been researching and testing this issue most of the day. The problem with the above configuration (using 'verify_peer' => false, and side-stepping SSL verification) is that, although your SSL connection via PHP may be encrypted, it will be open to man-in-the-middle (MITM) attacks. http://en.wikipedia.org/wiki/Man-in-the-middle_attack

To verify your certificate use the following config in both imap_conn_options and smtp_conn_options. Note the path to your cert should be in 'local_cert' not 'cafile'.

Code: [Select]

    'ssl' => array(
          'peer_name'   => 'your.domain.com',
          'verify_peer_name'    => true,
          'capath'      => '/path/to/authority/certificates/directory' # Usually /etc/ssl/certs or /usr/lib/ssl/certs/
          'local_cert'   => '/path/to/your.domain.com.crt', # Should be a combined cert & key in pem format
          'verify_peer'            => true,
    ),


Note: this is really only needed on servers running PHP 5.6. See the following links:

SSL changes in PHP 5.6: http://php.net/manual/en/migration56.openssl.php

SSL context options in PHP: http://php.net/manual/en/context.ssl.php