From owner-freebsd-questions@freebsd.org Mon Apr 30 20:26:11 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20B9DFB5D0D for ; Mon, 30 Apr 2018 20:26:11 +0000 (UTC) (envelope-from 482254ac@razorfever.net) Received: from pmta11.teksavvy.com (pmta11.teksavvy.com [76.10.157.34]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (Client CN "*.teksavvy.com", Issuer "DigiCert SHA2 High Assurance Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AB1607E3B5 for ; Mon, 30 Apr 2018 20:26:10 +0000 (UTC) (envelope-from 482254ac@razorfever.net) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2F4SAC3euda/0StpUVcGQEBAQEBAQEBA?= =?us-ascii?q?QEBAQcBAQEBAYINgTYpOAN3KINsiGCMHQFKBQF6CB0EMQFdgk+SAi8MCxgPB4Q?= =?us-ascii?q?+AoJzIjgUAQIBAQEBAQECAgJoHAxCDAEIAYIMBEtbAQEBAQEBAQEBAQEBAQEcA?= =?us-ascii?q?ggFSQEBGQEBAQMBIhUeMwsYAgImAgIoER4HDAgBAYR+DQ+nZYIchFiDa4JHE3a?= =?us-ascii?q?IGYEHgQ8jDIJcgxEDAQEXgR8ngwCCVAKHKoYFimMHAQKFYoUMg1WBd4VOD4UJi?= =?us-ascii?q?TyECIJsDIElMyKBUh9cUhCCJgmCFxeCcVSFFIVaIzABiBaDP4FLgkYBAQ?= X-IPAS-Result: =?us-ascii?q?A2F4SAC3euda/0StpUVcGQEBAQEBAQEBAQEBAQcBAQEBAYI?= =?us-ascii?q?NgTYpOAN3KINsiGCMHQFKBQF6CB0EMQFdgk+SAi8MCxgPB4Q+AoJzIjgUAQIBA?= =?us-ascii?q?QEBAQECAgJoHAxCDAEIAYIMBEtbAQEBAQEBAQEBAQEBAQEcAggFSQEBGQEBAQM?= =?us-ascii?q?BIhUeMwsYAgImAgIoER4HDAgBAYR+DQ+nZYIchFiDa4JHE3aIGYEHgQ8jDIJcg?= =?us-ascii?q?xEDAQEXgR8ngwCCVAKHKoYFimMHAQKFYoUMg1WBd4VOD4UJiTyECIJsDIElMyK?= =?us-ascii?q?BUh9cUhCCJgmCFxeCcVSFFIVaIzABiBaDP4FLgkYBAQ?= X-IronPort-AV: E=Sophos;i="5.49,348,1520913600"; d="scan'208";a="30885585" Received: from 69-165-173-68.dsl.teksavvy.com (HELO mail.razorfever.net) ([69.165.173.68]) by smtp.teksavvy.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Apr 2018 16:26:03 -0400 Received: from [127.0.0.1] (mail.razorfever.net [192.168.0.4]) by mail.razorfever.net (8.15.2/8.14.9) with ESMTP id w3UKPwMg084231; Mon, 30 Apr 2018 16:26:01 -0400 (EDT) (envelope-from 482254ac@razorfever.net) X-Authentication-Warning: mail.razorfever.net: Host mail.razorfever.net [192.168.0.4] claimed to be [127.0.0.1] Subject: Re: PHP and openssl To: byrnejb@harte-lyne.ca, freebsd-questions@freebsd.org References: <71b67f79d405215f875f7fcd61913959.squirrel@webmail.harte-lyne.ca> From: "Derek (freebsd lists)" <482254ac@razorfever.net> Message-ID: Date: Mon, 30 Apr 2018 16:25:57 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <71b67f79d405215f875f7fcd61913959.squirrel@webmail.harte-lyne.ca> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.4 required=5.0 tests=ALL_TRUSTED, FROM_STARTS_WITH_NUMS,RP_MATCHES_RCVD autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on mail.razorfever.net X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Apr 2018 20:26:11 -0000 On 18-04-30 10:29 AM, James B. Byrne via freebsd-questions wrote: > I am trying to get a Squirrelmail-1.4.23, running on FreeBSD-11.1 > under Apache-2.4.33, to connect to our existing Cyrus-IMAP and SMTP > services using TLS. Examination of the web service log files for ssh > reveals these messages: > > [Mon Apr 30 09:10:22.510233 2018] [:error] [pid 75098] [client > 192.168.209.44:36022] PHP Warning: fsockopen(): SSL operation failed > with code 1. OpenSSL Error messages:\nerror:14090086:SSL > routines:ssl3_get_server_certificate:certificate verify failed in > /usr/local/www/squirrelmail/src/configtest.php on line 406 > ... > > Now, if I connect to inet08.hamilton.harte-lyne.ca:465 using openssl > s_client I see this: > > openssl s_client -connect inet08.hamilton.harte-lyne.ca:465 > CONNECTED(00000003) > depth=2 CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, > OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = > Hamilton > verify error:num=19:self signed certificate in certificate chain > --- This looks to me like you don't have your custom CA (or cert) in your certificate chain. You might have the option to disable strict checking, but better - install custom certificate in the machine. This thread seems relevant: https://lists.freebsd.org/pipermail/freebsd-questions/2015-March/264652.html or this: https://stackoverflow.com/questions/41772340/how-do-i-add-a-certificate-authority-to-php-so-the-file-function-trusts-certif?rq=1 Hope that helps! Derek