On 11.08.2017 09:40, Michael Grimm wrote: > I had had to install FreeBSD's ca_root_nss port [1] as well. Do you > have those root certificates in place at your host running roundcube?
The Gentoo equivalent package is app-misc/ca-certificates, and yes, it is installed. Additionally, I manually placed certs for my own CA and for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is Gentoo's recommended method of providing additional CA information. My php.ini contains openssl.cafile=/etc/ssl/certs/ca-certificates.crt which is generated by Gentoo and contains all certs in one big file (See "man update-ca-certificates"). What I have done today is to rebuild OpenSSL, PHP and even Apache, in that order. It seemed a long shot, but I had run out of ideas. Lo and behold, rebuilding has done the trick! A simple $config['default_host'] = 'ssl://imap.some.domain'; without any additional options is now sufficient, and peer verification obviously works, as I also verified using openssl s_client -showcerts -connect imap.some.domain:993 I'm obviously glad, but still, colour me surprised. :-P -Ralph _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
