[imp] Cannot connect via imap/ssl

Otto Stolz Otto.Stolz at uni-konstanz.de
Tue Jul 11 11:01:24 PDT 2006 

Hi Christian,

thank you for your hint:
> did you try  
>  'protocol' => 'imap/ssl/novalidate-cert',
> 
> if the ssl-cert is self signed (at least it seems to be self signed by
> the uni), then you need this...

I have configured the OpenSSL client so it knows, and trusts,
the certificates back to the self-signed root certificate
of the DFN-Verein at Hamburg (our root CA). See below,
for details.

Before that, imp/test.php had recommended only
imap/ssl/novalidate-cert; afterwards, it has recommended
both imap/ssl and imap/ssl/novalidate-cert.
(Not to mention the TLS variants that will not work
with PHP 4, according to the docs.)

I have also tried another server that is not certified
by the DFN-Verein. So imp/test.php recommends just
imap/ssl/novalidate-cert (and, of course imap/notls).
I could reach that server via imap/notls, but again,
imap/ssl/novalidate-cert triggered that same sybilline
error message.

I definitely think, that this is not an OpenSSL issue,
all the more as imp/test.php can talk to those servers
via IMAP/SSL.

I do not know where that message comes from. It just says:
> Error connecting to IMAP server. 0 : Error 0.
No module name, no source line included.

It may well be an incompatibility between Imp H3 (4.1.1)
and my PHP/PEAR environment. As said before, I have
PHP 4.4.2; the basedir restriction is active.
As said before, imp-h3-4.1.1/config/servers.php.dist says:
> If using a version of PHP less than 5.1.0, the following
> options are available:
> 1. RECOMMENDED - If a secure IMAP connection is needed,
>    use a direct connection to a SSL enabled IMAP port
>    (e.g. 'imap/ssl').
This is what I have tried.

Currently, my test machine is down due to a disk error.
When my collegue will have succeeded clearing the resulting
debris and getting the machine up and running, I will try
imp-h3-4.1.2; note however, that the documentation in
servers.php.dist has not changed (I have diff-ed it,
a minute ago).

Thanks again for your hint.

Best wishes,
    Otto Stolz

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How to tell OpenSSL (under Solaris) to trust a certificate chain,
all the way back to its self-signed root certificate:

su - root -c '/usr/bin/tcsh'
    cd /usr/local/ssl/certs
    set wz=dfn-classic.pem
    wget http://www.uni-konstanz.de/pki/Zertifikate/$wz
    ln -s $wz `openssl x509 -in $wz -hash | head -1`.0
    exit

In natural speech:
1. store the root certificate, in PEM format, in
    /usr/local/ssl/certs
2. Ask OpenSSL for a particular hash of this certificate.
3. Put into /usr/local/ssl/certs a soft link to the certificate,
    named with this hash followed by ".0".

Now we have two entries in that directory:
lrwxrwxrwx  6536328f.0 -> dfn-classic.pem
-rw-r--r--  dfn-classic.pem

The Server will present its public key together with the
whole certificate chain back to the root; OpenSSL will
verify each signature by means of the next higher certificate,
and the self-signed root certificate by means of those
entries in /usr/local/ssl/certs.

More information about the imp mailing list