Hi,
I'm using roundcube-1.3.1 with php70. Up until recently I was using roundcube to connect to TLS-enabled Postfix (SMTP) and Dovecot (IMAP), both of which were using certificates issued to common name mail.example.org. In this setup, the following config worked:
$config['default_host'] = 'tls://mail.example.org';
$config['imap_conn_options'] = array(
'ssl' => array(
'peer_name' => 'mail.example.org',
'verify_peer' => true,
'verify_depth' => 3,
'cafile' => '/path/to/fullchain.pem',
),
);
However, after I switched to certificate issued to example.org which contains alternative domain mail.example.org, above config fails.
Roundcube error og:
[11-Oct-2017 12:06:30 Europe/Belgrade] PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/local/www/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 1027
Dovecot log:
Oct 11 12:06:30 myserver dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=193.53.106.132, lip=193.53.106.132, TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca: SSL alert number 48, session=<kVjck0JblMDBNWqE>
I can make it work by setting 'verify_peer' => false ...but I'd rather not. I have also experimented with PHP SSL context options (http://php.net/manual/en/context.ssl.php) SNI_enabled and SNI_server_name to no avail.
Is this a known problem, or should roundcube work with alternative domain names in certificates?
Thank you in advance.