[horde] H5: ext. Calendar fails with SSL certificate verification error

Stephan Kleber stephan at admin.nabira.de
Mon Feb 25 14:27:51 UTC 2013 

Hi all,

using Horde 5.0.4 (with kronolith 4.0.4) I have an issue with SSL
certificate verification. I couldn't find a solution regarding the error
message: "fopen(): Failed to enable crypto".

But first the details:

When I try to add (subscribe) an external calendar to kronolith I
receive the error to be seen in attachment HordeNewCal.txt

Of course I checked whether the openSSL verification itself works (see
HordeCmd.txt) using the horde commandline to make sure it is no file
system permissions problem for the web server to access the certs or
similar. The CA cert store path is correctly for my system set to
/etc/ssl/certs/ (openSSL works fine with that directory as seen above).

The "fopen(): Failed to enable crypto" lead me to (not) horde-bug #11822
and php bug https://bugs.php.net/bug.php?id=52106 and similar things.
But using PHP 5.3.3-7+squeeze14 at least I did not find anything
directly applicable.

Any ideas?

If not: Which php-mechanism is used to verify the cert? Is it something
I could try out separately to confirm or disprove a PHP or PEAR library
problem?

Anything else I could do or try?

Thanks,
Stephan
-------------- next part --------------
Befehl:
echo GET | openssl s_client -connect sogo.uni-ulm.de:443 -state -CApath /etc/ssl/certs/
Ergebnisse:

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=DE/O=Universitaet Ulm/CN=sogo.uni-ulm.de
   i:/C=DE/O=Universitaet Ulm/CN=Global-Uni-Ulm-CA/emailAddress=ca at uni-ulm.de
 1 s:/C=DE/O=Universitaet Ulm/CN=Global-Uni-Ulm-CA/emailAddress=ca at uni-ulm.de
   i:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
 2 s:/C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA Global - G01
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
 3 s:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
   i:/C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIEESAdGDANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJE
RTEZMBcGA1UEChMQVW5pdmVyc2l0YWV0IFVsbTEaMBgGA1UEAxMRR2xvYmFsLVVu
aS1VbG0tQ0ExHDAaBgkqhkiG9w0BCQEWDWNhQHVuaS11bG0uZGUwHhcNMTAxMjA5
MDkyMTEyWhcNMTUxMjA4MDkyMTEyWjBCMQswCQYDVQQGEwJERTEZMBcGA1UEChMQ
VW5pdmVyc2l0YWV0IFVsbTEYMBYGA1UEAxMPc29nby51bmktdWxtLmRlMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAttys9pwku+s9aZZ5x+l99oTECQmj
CLOBCvrMAHNC+y6FPZO+72WGBvizCImQT9b02I2qqwCuN0hVwn5lJEw3YU9/+XDv
MpnPfx30MhYXD4Tx1qvGr4v+XPRMC0BnPWQulkGmQVXErPkcYoeHrcurRVpeMsnq
uuhv6gymOjlGBsAVNlVquU93wBcVrcRBk4mmy6/kaduf/dKYUWBHDFbacXYlo3fg
bQOjdatmkO8egcjKnLJJljqKRjeJB6vPa2wpucS/XQtPK4h2yMs4dMDvMW9nCt1u
jpMiIMR6/2+G5T6Ne9c02HPazamTTMXyxoYWEKTu5jx2RkKXh1HywHsh2wIDAQAB
o4IBjzCCAYswCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwEwYDVR0lBAwwCgYIKwYB
BQUHAwEwHQYDVR0OBBYEFCkMiRXlciaj4kLIr1nYT9P+HoR4MB8GA1UdIwQYMBaA
FLN7Dz2jh7bPZO3Cdl3C2paXyaDfMH8GA1UdHwR4MHYwOaA3oDWGM2h0dHA6Ly9j
ZHAxLnBjYS5kZm4uZGUvdW5pLXVsbS1jYS9wdWIvY3JsL2NhY3JsLmNybDA5oDeg
NYYzaHR0cDovL2NkcDIucGNhLmRmbi5kZS91bmktdWxtLWNhL3B1Yi9jcmwvY2Fj
cmwuY3JsMIGaBggrBgEFBQcBAQSBjTCBijBDBggrBgEFBQcwAoY3aHR0cDovL2Nk
cDEucGNhLmRmbi5kZS91bmktdWxtLWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBD
BggrBgEFBQcwAoY3aHR0cDovL2NkcDIucGNhLmRmbi5kZS91bmktdWxtLWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAMKYO1R8e4QrP
sC++g4UiG2F63Ud9rpxOFewSSKca984hmgd5jny7inJua5B5d23sLEJ6ldKA5wn6
RdNEj3AL/kyFomVputf3Y9SzdSCWnkgySCFE1IJBj1cln92SpF+LLJsrFAo9hU3q
qYAmT8V8n2I+3cSoCmlQmApS0c8Wm8rwqRkjE/oOqIKdRbOABqPb6Um9ew+mpTg8
mT7ApxUfBSXwV9XKGpTN6rr/zopSpnbKNEnYvqFwkJk5IKV4fxhGvFJBGcGoiV0c
DMl44rQrqwHA9VuQ4Mq6cCuB4vvaZLxnxV/CHp5V/kdL0v7cEfuX6aG3Q6p3eRra
9hLEP8JkJA==
-----END CERTIFICATE-----
subject=/C=DE/O=Universitaet Ulm/CN=sogo.uni-ulm.de
issuer=/C=DE/O=Universitaet Ulm/CN=Global-Uni-Ulm-CA/emailAddress=ca at uni-ulm.de
---
No client certificate CA names sent
---
SSL handshake has read 5170 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 84BE6561B4AE71CD80B51FBFC5F51488E5687F797FFDDC235A3C9A15665B2310
    Session-ID-ctx: 
    Master-Key: 719F2A8F1C192FAE34F7F5E33C3BD224A835E3577A05D23F71D583B5730D877FE5941518BD9436F0ABE533CC85184D05
    Key-Arg   : None
    Start Time: 1361797280
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


-------------- next part --------------
Problem with https://sogo.uni-ulm.de/SOGo/: fopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. fopen(): Failed to enable crypto. fopen(https://sogo.uni-ulm.de/SOGo/): failed to open stream: operation failed
-------------- next part --------------
2013-02-25T14:08:27+01:00 INFO: HORDE [kronolith] Problem with https://sogo.uni-ulm.de/SOGo/: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. fopen(): Failed to enable crypto. fopen(https://sogo.uni-ulm.de/SOGo/): failed to ope
n stream: operation failed [pid 32475 on line 114 of "/usr/share/php/Horde/Http/Request/Fopen.php"]
2013-02-25T14:08:27+01:00 DEBUG: HORDE 1. Horde_Core_Ajax_Application->doAction() /var/www/horde/services/ajax.php:56
2. call_user_func() /usr/share/php/Horde/Core/Ajax/Application.php:155
3. Kronolith_Ajax_Application_Handler->getRemoteInfo()
4. Kronolith_Driver_Ical->isCalDAV() /var/www/horde/kronolith/lib/Ajax/Application/Handler.php:1221
5. Horde_Http_Client->request() /var/www/horde/kronolith/lib/Driver/Ical.php:616
6. Horde_Http_Request_Fopen->send() /usr/share/php/Horde/Http/Client.php:181

2013-02-25T14:08:27+01:00 INFO: HORDE [kronolith] Problem with https://sogo.uni-ulm.de/SOGo/: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. fopen(): Failed to enable crypto. fopen(https://sogo.uni-ulm.de/SOGo/): failed to open stream: operation failed [pid 32475 on line 114 of "/usr/share/php/Horde/Http/Request/Fopen.php"]
2013-02-25T14:08:27+01:00 DEBUG: HORDE 1. Horde_Core_Ajax_Application->doAction() /var/www/horde/services/ajax.php:56
2. call_user_func() /usr/share/php/Horde/Core/Ajax/Application.php:155
3. Kronolith_Ajax_Application_Handler->getRemoteInfo()
4. Kronolith_Driver_Ical->getRemoteCalendar() /var/www/horde/kronolith/lib/Ajax/Application/Handler.php:1225
5. Horde_Http_Client->get() /var/www/horde/kronolith/lib/Driver/Ical.php:553
6. Horde_Http_Client->request() /usr/share/php/Horde/Http/Client.php:93
7. Horde_Http_Request_Fopen->send() /usr/share/php/Horde/Http/Client.php:181

2013-02-25T14:08:27+01:00 DEBUG: HORDE [kronolith] Problem with https://sogo.uni-ulm.de/SOGo/: fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed. fopen(): Failed to enable crypto. fopen(https://sogo.uni-ulm.de/SOGo/): failed to open stream: operation failed [pid 32475 on line 27 of "/usr/share/php/Horde/Core/Notification/Handler/Decorator/Hordelog.php"]

More information about the horde mailing list