[imp] Cannot connect via imap/ssl
Otto Stolz
Otto.Stolz at uni-konstanz.de
Tue Jul 11 11:01:24 PDT 2006
Hi Christian,
thank you for your hint:
> did you try
> 'protocol' => 'imap/ssl/novalidate-cert',
>
> if the ssl-cert is self signed (at least it seems to be self signed by
> the uni), then you need this...
I have configured the OpenSSL client so it knows, and trusts,
the certificates back to the self-signed root certificate
of the DFN-Verein at Hamburg (our root CA). See below,
for details.
Before that, imp/test.php had recommended only
imap/ssl/novalidate-cert; afterwards, it has recommended
both imap/ssl and imap/ssl/novalidate-cert.
(Not to mention the TLS variants that will not work
with PHP 4, according to the docs.)
I have also tried another server that is not certified
by the DFN-Verein. So imp/test.php recommends just
imap/ssl/novalidate-cert (and, of course imap/notls).
I could reach that server via imap/notls, but again,
imap/ssl/novalidate-cert triggered that same sybilline
error message.
I definitely think, that this is not an OpenSSL issue,
all the more as imp/test.php can talk to those servers
via IMAP/SSL.
I do not know where that message comes from. It just says:
> Error connecting to IMAP server. 0 : Error 0.
No module name, no source line included.
It may well be an incompatibility between Imp H3 (4.1.1)
and my PHP/PEAR environment. As said before, I have
PHP 4.4.2; the basedir restriction is active.
As said before, imp-h3-4.1.1/config/servers.php.dist says:
> If using a version of PHP less than 5.1.0, the following
> options are available:
> 1. RECOMMENDED - If a secure IMAP connection is needed,
> use a direct connection to a SSL enabled IMAP port
> (e.g. 'imap/ssl').
This is what I have tried.
Currently, my test machine is down due to a disk error.
When my collegue will have succeeded clearing the resulting
debris and getting the machine up and running, I will try
imp-h3-4.1.2; note however, that the documentation in
servers.php.dist has not changed (I have diff-ed it,
a minute ago).
Thanks again for your hint.
Best wishes,
Otto Stolz
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How to tell OpenSSL (under Solaris) to trust a certificate chain,
all the way back to its self-signed root certificate:
su - root -c '/usr/bin/tcsh'
cd /usr/local/ssl/certs
set wz=dfn-classic.pem
wget http://www.uni-konstanz.de/pki/Zertifikate/$wz
ln -s $wz `openssl x509 -in $wz -hash | head -1`.0
exit
In natural speech:
1. store the root certificate, in PEM format, in
/usr/local/ssl/certs
2. Ask OpenSSL for a particular hash of this certificate.
3. Put into /usr/local/ssl/certs a soft link to the certificate,
named with this hash followed by ".0".
Now we have two entries in that directory:
lrwxrwxrwx 6536328f.0 -> dfn-classic.pem
-rw-r--r-- dfn-classic.pem
The Server will present its public key together with the
whole certificate chain back to the root; OpenSSL will
verify each signature by means of the next higher certificate,
and the self-signed root certificate by means of those
entries in /usr/local/ssl/certs.
More information about the imp
mailing list