Roundcube Community Forum

 

TLS Handshake Error

Started by quwax, November 17, 2021, 10:51:19 AM

Previous topic - Next topic

quwax

Hello,
I'm running an old Mac-Server with OSX 10.11 Server installed. On the box I installed php7.3.8 with the script from Liip and I'm getting a TLS handshake error - unknown error.
What I did then was setting imap and smtp options like this:
$config['imap_conn_options'] = [
  'ssl'         => [
    'verify_peer'  => false,
    'capture_peer_cert_chain' => true,
    'verify_depth' => 3,
     'cafile'       => '/private/etc/certificates/GandiStandardSSLCA2.pem',
     'local_pk' => '/private/etc/certificates/my.key.pem',
     'local_cert' => '/private/etc/certificates/my.chain.pem'
   ],
];

The certificates is a multi-domain one.
Postfix and Dovecot still show a TLS Handshake error in

What also shakes me the option $config['enable_installer'] = false; is also not working.
But the config file is loaded, I changed the product_name several times.

My guess is, I set the certificates wrong and that I can't disable the installer might be a bug and has nothing to do with the TLS error.
Thanks for any input :-)
Q

quwax

So I got it working this way:
$config['imap_conn_options'] = [
  'ssl'         => [
    'verify_peer'  => false,
    'capture_peer_cert_chain' => true,
    'verify_depth' => 3,
     'cafile'       => '/etc/certificates/my.chain.pem',
     'local_pk' => '/etc/certificates/my.key.pem',
   ],
];



as soon as verify_peer is true I get again a TLS error: TLS handshaking: SSL_accept() failed: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: SSL alert number 48, which still points to a problem with certificates.
The installer I still can't switch off :(

wineguy

#2
You've disabled peer certificate verification, which probably isn't what you want to do.

Instead update the webserver certificate so that it includes the entire certificate chain; certificate, intermediate certificates, and ca certificate, in that order.

Then update the certificate chain for your imap server (e.g., dovecot) in the same manner. 

Note that your imap server and your webserver may store their certificates in different places (or may on be physically different hardware), so ensure that you update both sets of certificates.

Also, make sure that your roundcube configuration refers to the FQDN of the imap server.  If you use 'localhost', the certificate cannot possibly be verified.