From: Chris H. <ch...@bi...> - 2003-02-20 21:50:13
|
> SSL communication works on port 993 in OE and Mail.app. It fails with Squirrelmail: > > Feb 19 16:40:41 lilbuddy imapd[84173]: Unable to accept SSL connection, host=localhost [127.0.0.1] > Feb 19 16:40:41 lilbuddy imapd[84173]: SSL error status: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > I ran this by the author of uw-imap, and he says this is the kind of error that occurs when TLS (i.e. STARTTLS) is attempted on port 993, which led me to believe that Squirrelmail was using STARTTLS. No, SquirrelMail does not send 'STARTTLS', it simply uses PHP 4.3.x's fsockopen (http://www.php.net/manual/en/function.fsockopen.php) to open a TLS connection. > As far as I've seen, "TLS" is used to indicate the STARTTLS method with TLSv1, whereas "SSL" is used to indicate communication on port 993 using SSLv23. TLS means IETF RFC 2246, the Transport Layer Security protocol (TLS 1.0), which does not mention STARTTLS. The STARTTLS command was introduced in RFC 2595, "Using TLS with IMAP, POP3 and ACAP". Section 7 in particular deals with the use of dedicated "non-STARTTLS" ports which, although not using the STARTTLS command, are indeed TLS. > So you're saying its actually the SSL (SSLv23) method that's being used? In that case, isn't the TLS description misleading? Anyway, if that's the deal, I still have a problem as noted above. As far as the fact that SquirrelMail does not issue a STARTTLS command, then yes, that's the method. However, it is TLS, not SSL. > Feb 19 16:40:41 lilbuddy imapd[84173]: SSL error status: > error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol Just out of curiousity, please paste in the response you get from a 'grep tls config.php' in your squirrelmail config directory. -- Chris Hilts ta...@sq... |
From: Mark E. <ma...@an...> - 2003-02-21 00:06:59
|
On Thursday, February 20, 2003, at 01:50 PM, Chris Hilts wrote: >> As far as I've seen, "TLS" is used to indicate the STARTTLS method with > TLSv1, whereas "SSL" is used to indicate communication on port 993 using > SSLv23. > > TLS means IETF RFC 2246, the Transport Layer Security protocol (TLS > 1.0), > which does not mention STARTTLS. The STARTTLS command was introduced in > RFC 2595, "Using TLS with IMAP, POP3 and ACAP". Section 7 in particular > deals with the use of dedicated "non-STARTTLS" ports which, although not > using the STARTTLS command, are indeed TLS. > >> So you're saying its actually the SSL (SSLv23) method that's being >> used? > In that case, isn't the TLS description misleading? Anyway, if that's > the deal, I still have a problem as noted above. > > As far as the fact that SquirrelMail does not issue a STARTTLS command, > then yes, that's the method. However, it is TLS, not SSL. It sounds like Squirrelmail is not currently compatible with uw-imap for doing encrypted communication then. uw-imap does TLS using STARTTLS on port 143, and it does SSL on port 993. Am I wrong? Have you seen Squirrelmail communicate via TLS with uw-imap? >> Feb 19 16:40:41 lilbuddy imapd[84173]: SSL error status: >> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol > > Just out of curiousity, please paste in the response you get from a > 'grep > tls config.php' in your squirrelmail config directory. > grep tls config.php $use_imap_tls = true; $use_smtp_tls = true; -- Mark Edwards Engineer Mr. Toad's San Francisco, CA |
From: Mark E. <ma...@an...> - 2003-02-25 00:58:59
|
On Thursday, February 20, 2003, at 04:06 PM, Mark Edwards wrote: > On Thursday, February 20, 2003, at 01:50 PM, Chris Hilts wrote: > >>> As far as I've seen, "TLS" is used to indicate the STARTTLS method >>> with >> TLSv1, whereas "SSL" is used to indicate communication on port 993 >> using >> SSLv23. >> >> TLS means IETF RFC 2246, the Transport Layer Security protocol (TLS >> 1.0), >> which does not mention STARTTLS. The STARTTLS command was introduced >> in >> RFC 2595, "Using TLS with IMAP, POP3 and ACAP". Section 7 in >> particular >> deals with the use of dedicated "non-STARTTLS" ports which, although >> not >> using the STARTTLS command, are indeed TLS. >> >>> So you're saying its actually the SSL (SSLv23) method that's being >>> used? >> In that case, isn't the TLS description misleading? Anyway, if that's >> the deal, I still have a problem as noted above. >> >> As far as the fact that SquirrelMail does not issue a STARTTLS command, >> then yes, that's the method. However, it is TLS, not SSL. > > It sounds like Squirrelmail is not currently compatible with uw-imap > for doing encrypted communication then. uw-imap does TLS using > STARTTLS on port 143, and it does SSL on port 993. Am I wrong? Have > you seen Squirrelmail communicate via TLS with uw-imap? > >>> Feb 19 16:40:41 lilbuddy imapd[84173]: SSL error status: >>> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol >> >> Just out of curiousity, please paste in the response you get from a >> 'grep >> tls config.php' in your squirrelmail config directory. > > > grep tls config.php > $use_imap_tls = true; > $use_smtp_tls = true; So, any answer on this? Is Squirrelmail 1.4RC2a in fact incompatible with uw-imap for doing TLS transmission? -- Mark Edwards Engineer Mr. Toad's San Francisco, CA |
From: Mark E. <ma...@an...> - 2003-02-27 19:29:22
|
Here's what the creator of uw-imap had to say on the subject of TLS on port 993, and TLS without STARTTLS: > More to the point, the client uses the legacy SSLv23_client_method > when it > makes a port 993 connection, and uses the modern TLSv1_client_method > when > negotiating a STARTTLS command on port 143. > > If Squirrelmail does not do this, then it is broken. > >> But TLS without STARTTLS is not supported? > > Considering that there is no such thing, it isn't surprising that > something non-existant isn't supported. So ... I'm coming to the conclusion that Squirrelmail is broken when it comes to encrypted communication with imap servers. Or, perhaps I'm totally confused ... -- Mark Edwards San Francisco, CA |
From: Jonathan A. <jo...@sq...> - 2003-02-27 19:47:31
|
Hello Mark, On Thursday, February 27, 2003, Mark Edwards wrote... > Here's what the creator of uw-imap had to say on the subject of TLS > on port 993, and TLS without STARTTLS: >> More to the point, the client uses the legacy SSLv23_client_method >> when it makes a port 993 connection, and uses the modern >> TLSv1_client_method when negotiating a STARTTLS command on port >> 143. >> >> If Squirrelmail does not do this, then it is broken. >> >>> But TLS without STARTTLS is not supported? >> >> Considering that there is no such thing, it isn't surprising that >> something non-existant isn't supported. > So ... I'm coming to the conclusion that Squirrelmail is broken when > it comes to encrypted communication with imap servers. Or, perhaps > I'm totally confused ... I think there is some oddities going on here... I did some testing over the weekend, and SquirrelMail isn't at fault if at all... it's more PHPs fault. The testing I did was completely independent of SquirrelMail, and involved a 10 line script, opening a connection, writing to the connection, and closing it again. PHP returned errors on the connection, reporting that it couldn't start activate an SSL mode 1 (or 2) connection. On sending any text to the connection, the error you mentioned appears in the log files. I posted to news://comp.lang.php last night, so I'm working on finding a solution, but I seriously don't think this has anything to do with SquirrelMail itself. I know of at least 1 person that has it running with UW IMAP. -- Jonathan Angliss (jo...@sq...) |
From: Mark E. <ma...@an...> - 2003-02-27 21:20:59
|
On Thursday, February 27, 2003, at 11:50 AM, Jonathan Angliss wrote: > Hello Mark, > On Thursday, February 27, 2003, Mark Edwards wrote... > >> Here's what the creator of uw-imap had to say on the subject of TLS >> on port 993, and TLS without STARTTLS: > >>> More to the point, the client uses the legacy SSLv23_client_method >>> when it makes a port 993 connection, and uses the modern >>> TLSv1_client_method when negotiating a STARTTLS command on port >>> 143. >>> >>> If Squirrelmail does not do this, then it is broken. >>> >>>> But TLS without STARTTLS is not supported? >>> >>> Considering that there is no such thing, it isn't surprising that >>> something non-existant isn't supported. > >> So ... I'm coming to the conclusion that Squirrelmail is broken when >> it comes to encrypted communication with imap servers. Or, perhaps >> I'm totally confused ... > > I think there is some oddities going on here... I did some testing > over the weekend, and SquirrelMail isn't at fault if at all... it's > more PHPs fault. The testing I did was completely independent of > SquirrelMail, and involved a 10 line script, opening a connection, > writing to the connection, and closing it again. PHP returned errors > on the connection, reporting that it couldn't start activate an SSL > mode 1 (or 2) connection. On sending any text to the connection, the > error you mentioned appears in the log files. I posted to > news://comp.lang.php last night, so I'm working on finding a solution, > but I seriously don't think this has anything to do with SquirrelMail > itself. I know of at least 1 person that has it running with UW IMAP. Great, thanks for checking that out. Mark Crispin (uw-imapd author) mentioned that he thought that a client using TLSv1 should be able to talk to a server that uses SSLv23 (uw-imap does), so I suppose that means this should be working (yeah?). Okay, can you find out the exact configuration of the person that has Squirrelmail running encrypted with uw-imap? Is there anything unusual, or is it a default compile of all software? What versions of everything are they using, and what OS? That might be helpful. Thanks! -- Mark Edwards Engineer Mr. Toad's San Francisco, CA |
From: Jonathan A. <jo...@sq...> - 2003-02-28 21:47:31
|
Hello Mark, On Thursday, February 27, 2003, Mark Edwards wrote... >>> So ... I'm coming to the conclusion that Squirrelmail is broken >>> when it comes to encrypted communication with imap servers. Or, >>> perhaps I'm totally confused ... >> >> [..] I did some testing over the weekend, and SquirrelMail isn't at >> fault if at all... it's more PHPs fault. The testing I did was >> completely independent of SquirrelMail, and involved a 10 line >> script, opening a connection, writing to the connection, and >> closing it again. > Great, thanks for checking that out. Mark Crispin (uw-imapd author) > mentioned that he thought that a client using TLSv1 should be able > to talk to a server that uses SSLv23 (uw-imap does), so I suppose > that means this should be working (yeah?). Okay... I *was* right. It was NOT a SquirrelMail problem.. it was entirely a PHP problem. It seems that PHP doesn't like the openssl compiled in a certain way. I don't know if you specified any special options when you compiled PHP, but try removing them, and leave it just with --with-openssl. Another thing you might want to check is create a file, call it test.php, put in it <? phpinfo();?> save it in your web tree somewhere. Open it via your browser, such as http://localhost/test.php and check for a section about OpenSSL. If that option is *NOT* there, then something messed up. Go back to your source, and recompile. PHP are nice, and save you having to remember what you typed last time, there is a config.nice file. Open that up, and find the --with-openssl line, remove any options after that, and run "./config.nice && make && make install". Once done that, do whatever is required of your webserver too. Then test again. For the curious, my compile options were: './configure' '--with-config-file-path=/www/conf' '--with-mysql' '--with-mcrypt' '--with-mhash' '--with-apxs2=/www/apache/bin/apxs' '--with-openssl=shared,/usr' But I changed them to: './configure' '--with-config-file-path=/www/conf' '--with-mysql' '--with-mcrypt' '--with-mhash' '--with-apxs2=/www/apache/bin/apxs' '--with-openssl' After I recompiled, it ran like a dream :) Hope that helps some. -- Jonathan Angliss (jo...@sq...) |
From: Mark E. <ma...@an...> - 2003-03-05 19:26:16
|
On Friday, February 28, 2003, at 01:50 PM, Jonathan Angliss wrote: > Hello Mark, > On Thursday, February 27, 2003, Mark Edwards wrote... > >>>> So ... I'm coming to the conclusion that Squirrelmail is broken >>>> when it comes to encrypted communication with imap servers. Or, >>>> perhaps I'm totally confused ... >>> >>> [..] I did some testing over the weekend, and SquirrelMail isn't at >>> fault if at all... it's more PHPs fault. The testing I did was >>> completely independent of SquirrelMail, and involved a 10 line >>> script, opening a connection, writing to the connection, and >>> closing it again. > >> Great, thanks for checking that out. Mark Crispin (uw-imapd author) >> mentioned that he thought that a client using TLSv1 should be able >> to talk to a server that uses SSLv23 (uw-imap does), so I suppose >> that means this should be working (yeah?). > > Okay... I *was* right. It was NOT a SquirrelMail problem.. it was > entirely a PHP problem. It seems that PHP doesn't like the openssl > compiled in a certain way. I don't know if you specified any special > options when you compiled PHP, but try removing them, and leave it > just with --with-openssl. Another thing you might want to check is > create a file, call it test.php, put in it <? phpinfo();?> save it in > your web tree somewhere. Open it via your browser, such as > http://localhost/test.php and check for a section about OpenSSL. If > that option is *NOT* there, then something messed up. Go back to your > source, and recompile. PHP are nice, and save you having to remember > what you typed last time, there is a config.nice file. Open that up, > and find the --with-openssl line, remove any options after that, and > run "./config.nice && make && make install". Once done that, do > whatever is required of your webserver too. Then test again. For the > curious, my compile options were: > > './configure' '--with-config-file-path=/www/conf' '--with-mysql' > '--with-mcrypt' '--with-mhash' '--with-apxs2=/www/apache/bin/apxs' > '--with-openssl=shared,/usr' > > But I changed them to: > > './configure' '--with-config-file-path=/www/conf' '--with-mysql' > '--with-mcrypt' '--with-mhash' '--with-apxs2=/www/apache/bin/apxs' > '--with-openssl' > > After I recompiled, it ran like a dream :) > > Hope that helps some. Hmmm...well, I'm installing everything via FreeBSD ports, which is the way I'd like to keep it. The compile options with the port are: './configure' '--with-apxs=/usr/local/sbin/apxs' '--with-config-file-path=/usr/local/etc' '--enable-versioning' '--with-regex=system' '--without-gd' '--without-mysql' '--with-zlib' '--with-mysql=/usr/local' '--with-openssl=/usr' '--prefix=/usr/local' 'i386-portbld-freebsd4.7' I checked test.php, and OpenSSL is indeed enabled in my PHP install. Are you definitely running uw-imap with plaintext passwords disabled? I can get squirrelmail to connect with Secure IMAP (TLS) : true, as long as plaintext passwords are enabled in imapd. However, if imapd is compiled as default (secure-only, no plaintext passwords) then it fails. -- Mark Edwards San Francisco, CA |
From: Jonathan A. <jo...@sq...> - 2003-03-05 19:39:57
|
Hello Mark, On Wednesday, March 05, 2003, Mark Edwards wrote... > Hmmm...well, I'm installing everything via FreeBSD ports, which is > the way I'd like to keep it. The compile options with the port are: > './configure' '--with-apxs=/usr/local/sbin/apxs' > '--with-config-file-path=/usr/local/etc' '--enable-versioning' > '--with-regex=system' '--without-gd' '--without-mysql' '--with-zlib' > '--with-mysql=/usr/local' '--with-openssl=/usr' > '--prefix=/usr/local' 'i386-portbld-freebsd4.7' There is a compile option with your openssl line here... not sure if it'd hurt or not. > I checked test.php, and OpenSSL is indeed enabled in my PHP install. Well that is a start. > Are you definitely running uw-imap with plaintext passwords > disabled? I can get squirrelmail to connect with Secure IMAP (TLS) : > true, as long as plaintext passwords are enabled in imapd. However, > if imapd is compiled as default (secure-only, no plaintext > passwords) then it fails. I'm not running uw-imap... I'm running courier. Courier doesn't accept plain text logins on port 993, if you try doing a plain text login on port 993, you get the error messages you saw in your log files. So... I know it is something with the php build on my server. When I removed all arguments from the --with-openssl it compiled, and worked just fine. -- Jonathan Angliss (jo...@sq...) |
From: Mark E. <ma...@an...> - 2003-03-05 19:56:51
|
On Wednesday, March 5, 2003, at 11:43 AM, Jonathan Angliss wrote: > Hello Mark, > On Wednesday, March 05, 2003, Mark Edwards wrote... > >> Hmmm...well, I'm installing everything via FreeBSD ports, which is >> the way I'd like to keep it. The compile options with the port are: > >> './configure' '--with-apxs=/usr/local/sbin/apxs' >> '--with-config-file-path=/usr/local/etc' '--enable-versioning' >> '--with-regex=system' '--without-gd' '--without-mysql' '--with-zlib' >> '--with-mysql=/usr/local' '--with-openssl=/usr' >> '--prefix=/usr/local' 'i386-portbld-freebsd4.7' > > There is a compile option with your openssl line here... not sure if > it'd hurt or not. > >> I checked test.php, and OpenSSL is indeed enabled in my PHP install. > > Well that is a start. > >> Are you definitely running uw-imap with plaintext passwords >> disabled? I can get squirrelmail to connect with Secure IMAP (TLS) : >> true, as long as plaintext passwords are enabled in imapd. However, >> if imapd is compiled as default (secure-only, no plaintext >> passwords) then it fails. > > I'm not running uw-imap... I'm running courier. Courier doesn't accept > plain text logins on port 993, if you try doing a plain text login on > port 993, you get the error messages you saw in your log files. So... > I know it is something with the php build on my server. When I removed > all arguments from the --with-openssl it compiled, and worked just > fine. Ho--kay. Well, I posted too soon. The mod-php port and OpenSSL were recently updated slightly in FreeBSD. I installed the updates, and ... bingo it started working. Weird, but whatever. I'm guessing a small issue in the mod-php port was causing the problem. Anyway, it works now, with no change whatsoever to Squirrelmail, so Squirrelmail definitely was NOT the issue. Thanks for all the help everyone! -- Mark Edwards San Francisco, CA |