php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79909 verify_peer => true, connection "Error: Login failed ... Unknown reason"
Submitted: 2020-07-28 14:42 UTC Modified: 2025-01-28 11:31 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: pgnet dot dev at gmail dot com Assigned: bukka (profile)
Status: Not a bug Package: OpenSSL related
PHP Version: 7.4.8 OS: linux / Fedora 32
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
8 + 47 = ?
Subscribe to this entry?

 
 [2020-07-28 14:42 UTC] pgnet dot dev at gmail dot com 
Description:
------------
enabling 'verify_peer' => true, connection fails: "Error: Login failed ... Could not connect ... Unknown reason" ?

TL;DR
1.   client -> server ssl peer verification works OK with `openssl s_client`
2.   php app -> IMAP conection (roundcube -> dovecot) is OK -- if SSL context "verify_peer => false;"
3.   php app -> IMAP conection FAILS -- if "verify_peer => true;", with "Unknown reason" error

i'm attempting -- & FAILing -- to securely connect, with peer verification, a PHP app (roundcube) to an SSL-secured service (dovecot/IMAP).

I'd reported this @ roundcube,

	https://github.com/roundcube/roundcubemail/issues/7514#issuecomment-664786385

, and was told it's a PHP-issue, not a Roundcube problem.


i'm running
```
	php -v
		PHP 7.4.8 (cli) (built: Jul  9 2020 08:57:23) ( NTS )
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

	roundcube 1.4.7

		git log -n1
	      1 commit cdbefb54e2bebbc61e5fb081c7d1038d884743cf (HEAD, tag: 1.4.7)
	      2 Author: Thomas Bruederli <thomas@roundcube.net>
	      3 Date:   Sat Jul 4 12:32:28 2020 +0200
	      4
	      5     Bump version to 1.4.7

	dovecot --version
		2.3.10.1 (a3d0e1171)

	nginx -v
		nginx version: nginx/1.19.0 (local build)

	php-fpm --version
		PHP 7.4.8 (fpm-fcgi) (built: Jul  9 2020 08:57:23)
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

```

on
```
	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Thirty Two)"
```

dovecot's set up & functioning; IMAP works fine with a non-php client, Thunderbird.

connection to dovecot, WITH peer verification of dovecot's SSL cert, works & identifies "Subject:" & "DNS:" as,
```
	openssl s_client \
	 -4 \
	 -bind 10.12.1.13 \
	 -connect internal.example.com:993 \
	 -verify +9 \
	 -verify_return_error \
	 -verify_hostname internal.example.com \
	 -verify_depth 9 \
	 -ciphersuites TLS_CHACHA20_POLY1305_SHA256 \
	 -cipher ECDHE-ECDSA-CHACHA20-POLY1305 \
	 -cert   /sec/ssl/roundcube.client.ec.crt \
	 -key    /sec/ssl/roundcube.ec.client.key \
	 -CAfile /sec/ssl/ca.chain.crt \
	 -showcerts 2>&1 \
	| openssl x509 -noout -text \
	| egrep 'Subject: |DNS:'


		Subject: C = US, ST = CA, L = HQ, O = example.com, OU = my_CA, CN = internal.example.com, emailAddress = ssl@example.com
		DNS:internal.example.com, DNS:www.internal.example.com, DNS:localhost
```

roundcube, php-config'd similarly, but WITHOUT peer verification,

```
	$config['debug_level'] = 1;
	$config['imap_debug']     = true;
	$config['default_host'] = 'ssl://internal.example.com:993';
	$config['default_port'] = 993;

	$config['imap_conn_options'] = array(
	 'ssl' => array(
	  'verify_peer'       => true,
	  'verify_peer_name'  => false,
	  'peer_name'         => 'internal.example.com',
	  'verify_depth'      => 9,
	  'allow_self_signed' => true,
	  'SNI_enabled'       => true,
	  'ciphers'    => 'TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305',
	  'local_cert' => '/sec/ssl/roundcube.client.ec.crt',
	  'local_pk'   => '/sec/ssl/roundcube.ec.client.key',
	  'cafile'     => '/sec/ssl/ca.chain.crt'
	 ),
	);
```

also connects to the dovecot store without error, & works perfectly with full access/functionality @ my IMAP store.

but, if i toggle rouncube's peer verification ==> ON,
```
-	  'verify_peer'       => false,
+	  'verify_peer'       => true,
```

it FAILs to connect,

> IMAP Error: Login failed ... Could not connect ... Unknown reason in .../roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

_debug_ logs show only,
```
	tail -f /var/log/dovecot/* /var/log/roundcube/*

		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> [C71D] Connecting to ssl://internal.example.com:993...

		==> /var/log/roundcube/errors.log <==
		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> IMAP Error: Login failed for testuser@example-2.com against internal.example.com from 10.12.1.7. Could not connect to ssl://internal.example.com:993: Unknown reason in /usr/local/src/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

		==> /var/log/dovecot/dovecot-info.log <==
		2020-07-27 19:45:32 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=10.12.1.13, lip=10.12.1.13, TLS handshaking: Connection closed

		==> /var/log/dovecot/dovecot-debug.log <==
		2020-07-27 19:45:32 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
		2020-07-27 19:45:32 auth: Debug: Read auth token secret from /run/dovecot//auth-token-secret.dat
		2020-07-27 19:45:32 auth: Debug: passwd-file /usr/local/etc/dovecot/sec/users.conf: Read 10 users in 0 secs
```


i understand the 'unknown reason' error: isn't particularly helpful; not clear to me how to get more info, atm.

if add'l info is required, pls specify what/how, & I can provide it.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2024-12-17 13:48 UTC] bukka@php.net 
Apology for the delay. We have got tests where the pper verification works fine, so it's either some misconfiguration or some specific bug. I looked to the setup but don't see anything suspicious so will allocate some time for this to properly test it. If it would be possible to provide all certs (including the CA chain and pkey [some testing key]) in the meantime, that would be great (feel free to open a new GH issue or email it to me).
 [2025-01-28 11:31 UTC] bukka@php.net
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2025-01-28 11:31 UTC] bukka@php.net 
So I did some testing with dovecot with roundcube that I needed to setup in my test environment. I generated cert, key but cannot really see any issue - it's connecting fine for me. I think it must be something with the certificate but without it, I cannot really investigate it further. Please open a new issue if you can still see this issue and provide a testing cert and key that it can be used to recreate it.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Apr 27 07:01:27 2025 UTC