php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79909 verify_peer => true, connection "Error: Login failed ... Unknown reason"
Submitted: 2020-07-28 14:42 UTC Modified: 2024-12-17 13:48 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: pgnet dot dev at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.4.8 OS: linux / Fedora 32
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pgnet dot dev at gmail dot com
New email:
PHP Version: OS:

 

 [2020-07-28 14:42 UTC] pgnet dot dev at gmail dot com
Description:
------------
enabling 'verify_peer' => true, connection fails: "Error: Login failed ... Could not connect ... Unknown reason" ?

TL;DR
1.   client -> server ssl peer verification works OK with `openssl s_client`
2.   php app -> IMAP conection (roundcube -> dovecot) is OK -- if SSL context "verify_peer => false;"
3.   php app -> IMAP conection FAILS -- if "verify_peer => true;", with "Unknown reason" error

i'm attempting -- & FAILing -- to securely connect, with peer verification, a PHP app (roundcube) to an SSL-secured service (dovecot/IMAP).

I'd reported this @ roundcube,

	https://github.com/roundcube/roundcubemail/issues/7514#issuecomment-664786385

, and was told it's a PHP-issue, not a Roundcube problem.


i'm running
```
	php -v
		PHP 7.4.8 (cli) (built: Jul  9 2020 08:57:23) ( NTS )
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

	roundcube 1.4.7

		git log -n1
	      1 commit cdbefb54e2bebbc61e5fb081c7d1038d884743cf (HEAD, tag: 1.4.7)
	      2 Author: Thomas Bruederli <thomas@roundcube.net>
	      3 Date:   Sat Jul 4 12:32:28 2020 +0200
	      4
	      5     Bump version to 1.4.7

	dovecot --version
		2.3.10.1 (a3d0e1171)

	nginx -v
		nginx version: nginx/1.19.0 (local build)

	php-fpm --version
		PHP 7.4.8 (fpm-fcgi) (built: Jul  9 2020 08:57:23)
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

```

on
```
	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Thirty Two)"
```

dovecot's set up & functioning; IMAP works fine with a non-php client, Thunderbird.

connection to dovecot, WITH peer verification of dovecot's SSL cert, works & identifies "Subject:" & "DNS:" as,
```
	openssl s_client \
	 -4 \
	 -bind 10.12.1.13 \
	 -connect internal.example.com:993 \
	 -verify +9 \
	 -verify_return_error \
	 -verify_hostname internal.example.com \
	 -verify_depth 9 \
	 -ciphersuites TLS_CHACHA20_POLY1305_SHA256 \
	 -cipher ECDHE-ECDSA-CHACHA20-POLY1305 \
	 -cert   /sec/ssl/roundcube.client.ec.crt \
	 -key    /sec/ssl/roundcube.ec.client.key \
	 -CAfile /sec/ssl/ca.chain.crt \
	 -showcerts 2>&1 \
	| openssl x509 -noout -text \
	| egrep 'Subject: |DNS:'


		Subject: C = US, ST = CA, L = HQ, O = example.com, OU = my_CA, CN = internal.example.com, emailAddress = ssl@example.com
		DNS:internal.example.com, DNS:www.internal.example.com, DNS:localhost
```

roundcube, php-config'd similarly, but WITHOUT peer verification,

```
	$config['debug_level'] = 1;
	$config['imap_debug']     = true;
	$config['default_host'] = 'ssl://internal.example.com:993';
	$config['default_port'] = 993;

	$config['imap_conn_options'] = array(
	 'ssl' => array(
	  'verify_peer'       => true,
	  'verify_peer_name'  => false,
	  'peer_name'         => 'internal.example.com',
	  'verify_depth'      => 9,
	  'allow_self_signed' => true,
	  'SNI_enabled'       => true,
	  'ciphers'    => 'TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305',
	  'local_cert' => '/sec/ssl/roundcube.client.ec.crt',
	  'local_pk'   => '/sec/ssl/roundcube.ec.client.key',
	  'cafile'     => '/sec/ssl/ca.chain.crt'
	 ),
	);
```

also connects to the dovecot store without error, & works perfectly with full access/functionality @ my IMAP store.

but, if i toggle rouncube's peer verification ==> ON,
```
-	  'verify_peer'       => false,
+	  'verify_peer'       => true,
```

it FAILs to connect,

> IMAP Error: Login failed ... Could not connect ... Unknown reason in .../roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

_debug_ logs show only,
```
	tail -f /var/log/dovecot/* /var/log/roundcube/*

		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> [C71D] Connecting to ssl://internal.example.com:993...

		==> /var/log/roundcube/errors.log <==
		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> IMAP Error: Login failed for testuser@example-2.com against internal.example.com from 10.12.1.7. Could not connect to ssl://internal.example.com:993: Unknown reason in /usr/local/src/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

		==> /var/log/dovecot/dovecot-info.log <==
		2020-07-27 19:45:32 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=10.12.1.13, lip=10.12.1.13, TLS handshaking: Connection closed

		==> /var/log/dovecot/dovecot-debug.log <==
		2020-07-27 19:45:32 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
		2020-07-27 19:45:32 auth: Debug: Read auth token secret from /run/dovecot//auth-token-secret.dat
		2020-07-27 19:45:32 auth: Debug: passwd-file /usr/local/etc/dovecot/sec/users.conf: Read 10 users in 0 secs
```


i understand the 'unknown reason' error: isn't particularly helpful; not clear to me how to get more info, atm.

if add'l info is required, pls specify what/how, & I can provide it.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2024-12-17 13:48 UTC] bukka@php.net
Apology for the delay. We have got tests where the pper verification works fine, so it's either some misconfiguration or some specific bug. I looked to the setup but don't see anything suspicious so will allocate some time for this to properly test it. If it would be possible to provide all certs (including the CA chain and pkey [some testing key]) in the meantime, that would be great (feel free to open a new GH issue or email it to me).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC