Author Topic: TLS Handshake Error  (Read 1252 times)

Offline quwax

  • Jr. Member
  • **
  • Posts: 24
TLS Handshake Error
« on: November 17, 2021, 10:51:19 AM »
Hello,
I'm running an old Mac-Server with OSX 10.11 Server installed. On the box I installed php7.3.8 with the script from Liip and I'm getting a TLS handshake error - unknown error.
What I did then was setting imap and smtp options like this:
Code: [Select]
$config['imap_conn_options'] = [
  'ssl'         => [
    'verify_peer'  => false,
    'capture_peer_cert_chain' => true,
    'verify_depth' => 3,
     'cafile'       => '/private/etc/certificates/GandiStandardSSLCA2.pem',
     'local_pk' => '/private/etc/certificates/my.key.pem',
     'local_cert' => '/private/etc/certificates/my.chain.pem'
   ],
];
The certificates is a multi-domain one.
Postfix and Dovecot still show a TLS Handshake error in

What also shakes me the option
Code: [Select]
$config['enable_installer'] = false; is also not working.
But the config file is loaded, I changed the product_name several times.

My guess is, I set the certificates wrong and that I can't disable the installer might be a bug and has nothing to do with the TLS error.
Thanks for any input :-)
Q

Offline quwax

  • Jr. Member
  • **
  • Posts: 24
Re: TLS Handshake Error
« Reply #1 on: November 17, 2021, 11:14:55 AM »
So I got it working this way:
Code: [Select]
$config['imap_conn_options'] = [
  'ssl'         => [
    'verify_peer'  => false,
    'capture_peer_cert_chain' => true,
    'verify_depth' => 3,
     'cafile'       => '/etc/certificates/my.chain.pem',
     'local_pk' => '/etc/certificates/my.key.pem',
   ],
];


as soon as verify_peer is true I get again a TLS error:
Code: [Select]
TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, which still points to a problem with certificates.
The installer I still can't switch off :(

Offline wineguy

  • Newbie
  • *
  • Posts: 1
Re: TLS Handshake Error
« Reply #2 on: October 23, 2022, 11:22:35 PM »
You've disabled peer certificate verification, which probably isn't what you want to do.

Instead update the webserver certificate so that it includes the entire certificate chain; certificate, intermediate certificates, and ca certificate, in that order.

Then update the certificate chain for your imap server (e.g., dovecot) in the same manner. 

Note that your imap server and your webserver may store their certificates in different places (or may on be physically different hardware), so ensure that you update both sets of certificates.

Also, make sure that your roundcube configuration refers to the FQDN of the imap server.  If you use 'localhost', the certificate cannot possibly be verified.
« Last Edit: October 23, 2022, 11:41:28 PM by wineguy »