Provide Self Signed Certificate to SquirrelMail

Linux Apps Tutorials - Herong's Tutorial Examples

∟Provide Self Signed Certificate to SquirrelMail

This section provides a tutorial example on how to provide download self-signed certificate from mail server and provide it SquirrelMail as a trusted certificate to resolve the invalid certificate error.

Continuing from the previous tutorial, let's find a way to allow SquirrelMail accepting the self signed certificate used by a remote mail server.

1. Download the self signed certificate from the remote IMAPS server.

herong$ openssl s_client -connect 192.168.1.100:993

depth=0 ..., CN = 192.168.1.100, ...
verify error:num=18:self signed certificate
...
Server certificate
-----BEGIN CERTIFICATE-----
MIID5TCCAs2gAwIBAgIUVPSyH5TDRDSyzDp0w3aTKV7qyIswDQYJKoZIhvcNAQEL
BQAwgaAxCzAJBgNVBAYTAkNOMRIwEAYDVQQIDAlHdWFuZ2RvbmcxETAPBgNVBAcM
CFNoZW56aGVuMRYwFAYDVQQKDA1UYXJnZXRSeCBJbmMuMRQwEgYDVQQLDAtNYWls
...
wSQq2F5TcqIL/QfUhkOHd9cdY4LlJctfTQeruRvDD8ezF9cRmV5Pjx8=
-----END CERTIFICATE-----

2. Save the above certificate in a file, 192-168-1-100.crt. We need to provide it the PHP environment as a trusted certificate in 3 possible ways:

Add it to the system trusted certificate file or directory.
Add it to the trusted certificate file specified as openssl.cafile=file_path in php.ini. This may requires you to update the php.ini file.
Add it to the trusted certificate file specified as the "cafile" SSL context option in SquirrelMail PHP code.

3. Run another PHP function call to find out how to PHP is searching for CA certificates.

herong$ php -r "print_r(openssl_get_cert_locations());"
Array
(
  [default_cert_file] => /etc/pki/tls/cert.pem
  [default_cert_file_env] => SSL_CERT_FILE
  [default_cert_dir] => /etc/pki/tls/certs
  [default_cert_dir_env] => SSL_CERT_DIR
  [default_private_dir] => /etc/pki/tls/private
  [default_default_cert_area] => /etc/pki/tls
  [ini_cafile] =>
  [ini_capath] =>
)

4. Look at the first entry, /etc/pki/tls/cert.pem, in above searched locations. It has 136 CA certificates.

herong$ ls -l /etc/pki/tls/cert.pem

lrwxrwxrwx. 1 root root 49 Aug 12  2020 /etc/pki/tls/cert.pem ->
  /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

herong$ grep BEGIN cert.pem | wc
  136     274    3836

5. Add the self signed certificate to the end of /etc/pki/tls/cert.pem. And run the simulation code again. I do not see any errors. That is good.

herong$ su
# cat 192-168-1-100.crt >> /etc/pki/tls/cert.pem
# exit

herong$ php -r 'fsockopen("tls://192.168.1.100", 993, $errno, $errmsg, 5);'

6. Run SquirrelMail test script again. I see no errors. SquirrelMail is accepting the self signed certificate now.

herong$ firefox http://localhost/mailx/src/configtest.php

Checking IMAP service....
    IMAP server ready (* OK [CAPABILITY IMAP4rev1 SASL-IR ...

7. Log in to SquirrelMail Webmail in a Web browser. I can retrieve emails from the mail server.

herong$ firefox http://localhost/mailx

Please also notice that:

1. It seems to me that if "default_cert_file" is provided, PHP OpenSSL will not look at "default_cert_dir" for CA certificates.

2. There is a config.php example from SquirrelMail sourceforge.net Website that suggests to use $imap_stream_options to provide self-signed certificates. But this setting is not support in the SquirrelMail 1.4.22 stable version. This could be a new feature in newer version.

* $imap_stream_options = array(
*     'ssl' => array(
*         'cafile' => '/etc/pki/tls/certs/ca-bundle.crt',
*         'verify_peer' => true,
*         'verify_depth' => 3,
*     ),
* );