[imp] What to do about the root of our certificate chain?

Cliff Green green at umdnj.edu
Tue May 23 19:22:41 PDT 2006 

On 05/23/2006, Otto Stolz wrote about [imp] What to do about the root
of our certificate chain?:

> Hello,
>
> horde/imp/test.php tells me, that the root CA in our certificate chain is
> unknown:
>>   * Trying protocol imap/ssl, Port 993:
>>         ERROR - The server returned the following error message:
>> Certificate failure for popserver.uni-konstanz.de: self signed certificate
>> in certificate chain: /C=DE/O=DFN-Verein/OU=DFN-PKI/CN=DFN-Verein PCA
>> Classic - G01
>
> Consequently, it recommends the imap/ssl/novalidate-cert protocol.
> I'd rather use the imap/ssl protocoll, so all certificates are checked
> against the certificate chain, back to the root CA.

This is what we do - in my servers.php, all imap servers (UW-IMAP as
well as iPlanet Messaging Server) use 'protocol' => 'imap/ssl'.

There should be a certs directory defined for OpenSSL, and that's
where you need to put the PEM formatted version of your imap server's
cert (or certs, if there's more than one cert or server).  On a Red
Hat box, that's usually predefined as /usr/share/ssl/certs.  If you
built OpenSSL yourself, it's probably in someplace like
/usr/local/ssl/certs (that's where we put them when we ran Horde on a
Solaris box).  You need to determine this.

For our iPlanet server, I just have the certificate portion (the part
between and including the '-----BEGIN CERTIFICATE-----' and '-----END
CERTIFICATE-----' lines;  this is signed by a well-known, public
hierarchy CA.  For our UW-IMAP servers, we use our own, self-signed
certs, and include both the cert and private key components in the pem
file in the certs directory;  in other words, we just copied the PEM
file from the certs directory on the host the imap daemon is on.

This has been working for us for several years, through several
versions of Horde and imp.

> I do not really understand the error message quoted above.
> - I thought that Imp contacts the IMAP server which presents a certificate
>  to Imp so it can check that it is contacting the real server (and no
>  fake IMAP server). But then, which server tells Imp that the CA
>  chain is broken?

The OpenSSL libraries compiled into your PHP are doing that work,
after your c-client library does the imap connection.

> - Or is it so that Imp has to present a certificate to the IMAP server
>  so it can be sure that the right client is requesting its services?

I don't believe this is happening.

> In the 1st case, the question does arise: Where is the list of root CAs
> Imp is consulting, and how can I add to it the CA in charge of us?

See above.

> In the 2nd case, the question is: Where do I have to put the certificate
> Imp should present to the server? (And I would have to ask the colleague
> in charge of the IMAP server to add the root CA to his list.)

N/A.

> My environment:
>  IMP: H3 (4.1.1) (installation currently under development)
>  Horde: 3.1.1
>  Apache/1.3.34 (Unix) mod_ssl/2.8.25 OpenSSL/0.9.7e PHP/4.4.2
>  SunOS 5.9
>
> Of course, I have tried to find the answers in the horde-3.1.1/docs/INSTALL,
> horde-3.1.1/docs/SECURITY, imp-h3-4.1.1/docs/INSTALL sources, in the
> Horde Administrator FAQ, in the Horde Wiki, and in the Imp-List archives --
> to no avail.

I'm know it was discussed a couple of years ago on list, but all I  
could find in the archives was:
http://article.gmane.org/gmane.comp.horde.user/663/match=imap+ssl

> Thank you in advance for any enlightenment.

Hope this helps...

c
-- 
Cliff Green
Business Systems & Technologies/UMDNJ
"Without deviation from the norm, progress is not possible."
-- Frank Zappa

More information about the imp mailing list