It appears that PHP 5.6.X introduced some new aspects of handling SSL/TLS communication, in a way that it now verifies peer certificates and hostnames by default. How do I know this?
Last Friday my web server, hosted on FreeBSD 10.1, included the following line in its daily security run e-mail:
Checking for packages with security vulnerabilities: php5-5.4.37
At first, I thought I was just going to update to the latest
lang/php5, but then I found out that FreeBSD has recently changed its default version of php5 to php56, so I decided to upgrade. I updated ports tree, fired up bulk build in poudriere, and an hour later I had fresh packages in my repo.
pkg upgrade had some minor quirks (such as I had to remove php5, which in turn removed all the ports which depend on it and I had to reinstall them), but in the end I had all the php5-* ports upgraded to 5.6, including mod_php56, and also all the ports that depend on them, such as roundcube, phpmyadmin, drupal, owncloud, wordpress etc.
However, when trying to log into roundcube (which worked happily for more than a year before upgrade), I was warned with “Connection to storage server failed.” A quick look into roundcube log showed me something was wrong with SSL:
[02-Mar-2015 12:59:28 Europe/Belgrade] PHP Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /usr/local/www/roundcube/program/lib/Roundcube/rcube_imap_generic.php on line 915 [02-Mar-2015 12:59:28 +0100]: <27ldg6ud> IMAP Error: Login failed for firstname.lastname@example.org from IP.ADD.RE.SS. Unable to negotiate TLS in /usr/local/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 198 (POST /mail/?_task=login?_task=login&_action=login)
After a bit of searching I found the thread on Arch Linux forums which gave me all the information I need. Basically, all I needed to do was to add the following lines to my roundcube’s
$config['imap_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, 'cafile' => '/etc/ssl/public/dovecot.pem', ), );
Of course, I needed to copy
dovecot.pem file from my imap server to the appropriate path.
After this I logged in to roundcube just fine, thinking that everything is fixed. However, few minutes later I realized that managesieve plugin doesn’t work either. A few lines in managesieve’s
config.inc.php later I could access my filter settings again:
$config['managesieve_conn_options'] = array( 'ssl' => array( 'verify_peer' => true, 'verify_depth' => 3, 'cafile' => '/etc/ssl/public/dovecot.pem', ), );
I guess there are more roundcube plugins that will be affected by the change, but I can’t verify this as I don’t use them.
*_conn_options exist, and are nicely explained in both roundcube’s
defaults.inc.php and managesieve’s
config.inc.php.dist. It is just that they weren’t mandatory to set up with PHP 5.4.X.
Hope this saves some time to roundcube and php56 upgraders.