PHP :: Bug #79909 :: verify_peer => true, connection "Error: Login failed ... Unknown reason"

[2020-07-28 14:42 UTC] pgnet dot dev at gmail dot com
Description:
------------
enabling 'verify_peer' => true, connection fails: "Error: Login failed ... Could not connect ... Unknown reason" ?

TL;DR
1.   client -> server ssl peer verification works OK with `openssl s_client`
2.   php app -> IMAP conection (roundcube -> dovecot) is OK -- if SSL context "verify_peer => false;"
3.   php app -> IMAP conection FAILS -- if "verify_peer => true;", with "Unknown reason" error

i'm attempting -- & FAILing -- to securely connect, with peer verification, a PHP app (roundcube) to an SSL-secured service (dovecot/IMAP).

I'd reported this @ roundcube,

	https://github.com/roundcube/roundcubemail/issues/7514#issuecomment-664786385

, and was told it's a PHP-issue, not a Roundcube problem.


i'm running
```
	php -v
		PHP 7.4.8 (cli) (built: Jul  9 2020 08:57:23) ( NTS )
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

	roundcube 1.4.7

		git log -n1
	      1 commit cdbefb54e2bebbc61e5fb081c7d1038d884743cf (HEAD, tag: 1.4.7)
	      2 Author: Thomas Bruederli <thomas@roundcube.net>
	      3 Date:   Sat Jul 4 12:32:28 2020 +0200
	      4
	      5     Bump version to 1.4.7

	dovecot --version
		2.3.10.1 (a3d0e1171)

	nginx -v
		nginx version: nginx/1.19.0 (local build)

	php-fpm --version
		PHP 7.4.8 (fpm-fcgi) (built: Jul  9 2020 08:57:23)
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

```

on
```
	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Thirty Two)"
```

dovecot's set up & functioning; IMAP works fine with a non-php client, Thunderbird.

connection to dovecot, WITH peer verification of dovecot's SSL cert, works & identifies "Subject:" & "DNS:" as,
```
	openssl s_client \
	 -4 \
	 -bind 10.12.1.13 \
	 -connect internal.example.com:993 \
	 -verify +9 \
	 -verify_return_error \
	 -verify_hostname internal.example.com \
	 -verify_depth 9 \
	 -ciphersuites TLS_CHACHA20_POLY1305_SHA256 \
	 -cipher ECDHE-ECDSA-CHACHA20-POLY1305 \
	 -cert   /sec/ssl/roundcube.client.ec.crt \
	 -key    /sec/ssl/roundcube.ec.client.key \
	 -CAfile /sec/ssl/ca.chain.crt \
	 -showcerts 2>&1 \
	| openssl x509 -noout -text \
	| egrep 'Subject: |DNS:'


		Subject: C = US, ST = CA, L = HQ, O = example.com, OU = my_CA, CN = internal.example.com, emailAddress = ssl@example.com
		DNS:internal.example.com, DNS:www.internal.example.com, DNS:localhost
```

roundcube, php-config'd similarly, but WITHOUT peer verification,

```
	$config['debug_level'] = 1;
	$config['imap_debug']     = true;
	$config['default_host'] = 'ssl://internal.example.com:993';
	$config['default_port'] = 993;

	$config['imap_conn_options'] = array(
	 'ssl' => array(
	  'verify_peer'       => true,
	  'verify_peer_name'  => false,
	  'peer_name'         => 'internal.example.com',
	  'verify_depth'      => 9,
	  'allow_self_signed' => true,
	  'SNI_enabled'       => true,
	  'ciphers'    => 'TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305',
	  'local_cert' => '/sec/ssl/roundcube.client.ec.crt',
	  'local_pk'   => '/sec/ssl/roundcube.ec.client.key',
	  'cafile'     => '/sec/ssl/ca.chain.crt'
	 ),
	);
```

also connects to the dovecot store without error, & works perfectly with full access/functionality @ my IMAP store.

but, if i toggle rouncube's peer verification ==> ON,
```
-	  'verify_peer'       => false,
+	  'verify_peer'       => true,
```

it FAILs to connect,

> IMAP Error: Login failed ... Could not connect ... Unknown reason in .../roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

_debug_ logs show only,
```
	tail -f /var/log/dovecot/* /var/log/roundcube/*

		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> [C71D] Connecting to ssl://internal.example.com:993...

		==> /var/log/roundcube/errors.log <==
		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> IMAP Error: Login failed for testuser@example-2.com against internal.example.com from 10.12.1.7. Could not connect to ssl://internal.example.com:993: Unknown reason in /usr/local/src/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

		==> /var/log/dovecot/dovecot-info.log <==
		2020-07-27 19:45:32 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=10.12.1.13, lip=10.12.1.13, TLS handshaking: Connection closed

		==> /var/log/dovecot/dovecot-debug.log <==
		2020-07-27 19:45:32 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
		2020-07-27 19:45:32 auth: Debug: Read auth token secret from /run/dovecot//auth-token-secret.dat
		2020-07-27 19:45:32 auth: Debug: passwd-file /usr/local/etc/dovecot/sec/users.conf: Read 10 users in 0 secs
```


i understand the 'unknown reason' error: isn't particularly helpful; not clear to me how to get more info, atm.

if add'l info is required, pls specify what/how, & I can provide it.
Patches

Pull Requests

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for

Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 16 05:01:29 2024 UTC