php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79909 verify_peer => true, connection "Error: Login failed ... Unknown reason"
Submitted: 2020-07-28 14:42 UTC Modified: -
From: pgnet dot dev at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.4.8 OS: linux / Fedora 32
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
10 + 12 = ?
Subscribe to this entry?

 
 [2020-07-28 14:42 UTC] pgnet dot dev at gmail dot com
Description:
------------
enabling 'verify_peer' => true, connection fails: "Error: Login failed ... Could not connect ... Unknown reason" ?

TL;DR
1.   client -> server ssl peer verification works OK with `openssl s_client`
2.   php app -> IMAP conection (roundcube -> dovecot) is OK -- if SSL context "verify_peer => false;"
3.   php app -> IMAP conection FAILS -- if "verify_peer => true;", with "Unknown reason" error

i'm attempting -- & FAILing -- to securely connect, with peer verification, a PHP app (roundcube) to an SSL-secured service (dovecot/IMAP).

I'd reported this @ roundcube,

	https://github.com/roundcube/roundcubemail/issues/7514#issuecomment-664786385

, and was told it's a PHP-issue, not a Roundcube problem.


i'm running
```
	php -v
		PHP 7.4.8 (cli) (built: Jul  9 2020 08:57:23) ( NTS )
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

	openssl version
		OpenSSL 1.1.1g FIPS  21 Apr 2020

	roundcube 1.4.7

		git log -n1
	      1 commit cdbefb54e2bebbc61e5fb081c7d1038d884743cf (HEAD, tag: 1.4.7)
	      2 Author: Thomas Bruederli <thomas@roundcube.net>
	      3 Date:   Sat Jul 4 12:32:28 2020 +0200
	      4
	      5     Bump version to 1.4.7

	dovecot --version
		2.3.10.1 (a3d0e1171)

	nginx -v
		nginx version: nginx/1.19.0 (local build)

	php-fpm --version
		PHP 7.4.8 (fpm-fcgi) (built: Jul  9 2020 08:57:23)
		Copyright (c) The PHP Group
		Zend Engine v3.4.0, Copyright (c) Zend Technologies
		    with Zend OPcache v7.4.8, Copyright (c), by Zend Technologies

```

on
```
	grep PRETTY /etc/os-release
		PRETTY_NAME="Fedora 32 (Thirty Two)"
```

dovecot's set up & functioning; IMAP works fine with a non-php client, Thunderbird.

connection to dovecot, WITH peer verification of dovecot's SSL cert, works & identifies "Subject:" & "DNS:" as,
```
	openssl s_client \
	 -4 \
	 -bind 10.12.1.13 \
	 -connect internal.example.com:993 \
	 -verify +9 \
	 -verify_return_error \
	 -verify_hostname internal.example.com \
	 -verify_depth 9 \
	 -ciphersuites TLS_CHACHA20_POLY1305_SHA256 \
	 -cipher ECDHE-ECDSA-CHACHA20-POLY1305 \
	 -cert   /sec/ssl/roundcube.client.ec.crt \
	 -key    /sec/ssl/roundcube.ec.client.key \
	 -CAfile /sec/ssl/ca.chain.crt \
	 -showcerts 2>&1 \
	| openssl x509 -noout -text \
	| egrep 'Subject: |DNS:'


		Subject: C = US, ST = CA, L = HQ, O = example.com, OU = my_CA, CN = internal.example.com, emailAddress = ssl@example.com
		DNS:internal.example.com, DNS:www.internal.example.com, DNS:localhost
```

roundcube, php-config'd similarly, but WITHOUT peer verification,

```
	$config['debug_level'] = 1;
	$config['imap_debug']     = true;
	$config['default_host'] = 'ssl://internal.example.com:993';
	$config['default_port'] = 993;

	$config['imap_conn_options'] = array(
	 'ssl' => array(
	  'verify_peer'       => true,
	  'verify_peer_name'  => false,
	  'peer_name'         => 'internal.example.com',
	  'verify_depth'      => 9,
	  'allow_self_signed' => true,
	  'SNI_enabled'       => true,
	  'ciphers'    => 'TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305',
	  'local_cert' => '/sec/ssl/roundcube.client.ec.crt',
	  'local_pk'   => '/sec/ssl/roundcube.ec.client.key',
	  'cafile'     => '/sec/ssl/ca.chain.crt'
	 ),
	);
```

also connects to the dovecot store without error, & works perfectly with full access/functionality @ my IMAP store.

but, if i toggle rouncube's peer verification ==> ON,
```
-	  'verify_peer'       => false,
+	  'verify_peer'       => true,
```

it FAILs to connect,

> IMAP Error: Login failed ... Could not connect ... Unknown reason in .../roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

_debug_ logs show only,
```
	tail -f /var/log/dovecot/* /var/log/roundcube/*

		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> [C71D] Connecting to ssl://internal.example.com:993...

		==> /var/log/roundcube/errors.log <==
		[28-Jul-2020 02:45:32 +0000]: <uobpprkr> IMAP Error: Login failed for testuser@example-2.com against internal.example.com from 10.12.1.7. Could not connect to ssl://internal.example.com:993: Unknown reason in /usr/local/src/roundcubemail/program/lib/Roundcube/rcube_imap.php on line 200 (POST /?_task=login&_action=login)

		==> /var/log/dovecot/dovecot-info.log <==
		2020-07-27 19:45:32 imap-login: Info: Disconnected (disconnected before auth was ready, waited 0 secs): user=<>, rip=10.12.1.13, lip=10.12.1.13, TLS handshaking: Connection closed

		==> /var/log/dovecot/dovecot-debug.log <==
		2020-07-27 19:45:32 auth: Debug: Loading modules from directory: /usr/lib64/dovecot/auth
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/lib20_auth_var_expand_crypt.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_mysql.so
		2020-07-27 19:45:32 auth: Debug: Module loaded: /usr/lib64/dovecot/auth/libdriver_sqlite.so
		2020-07-27 19:45:32 auth: Debug: Read auth token secret from /run/dovecot//auth-token-secret.dat
		2020-07-27 19:45:32 auth: Debug: passwd-file /usr/local/etc/dovecot/sec/users.conf: Read 10 users in 0 secs
```


i understand the 'unknown reason' error: isn't particularly helpful; not clear to me how to get more info, atm.

if add'l info is required, pls specify what/how, & I can provide it.


Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Oct 30 05:02:34 2020 UTC