On 11.08.2017 09:40, Michael Grimm wrote:

> I had had to install FreeBSD's ca_root_nss port [1] as well. Do you
> have those root certificates in place at your host running roundcube?

The Gentoo equivalent package is app-misc/ca-certificates, and yes, it
is installed. Additionally, I manually placed certs for my own CA and
for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is
Gentoo's recommended method of providing additional CA information. My
php.ini contains

  openssl.cafile=/etc/ssl/certs/ca-certificates.crt

which is generated by Gentoo and contains all certs in one big file (See
"man update-ca-certificates").


What I have done today is to rebuild OpenSSL, PHP and even Apache, in
that order. It seemed a long shot, but I had run out of ideas. Lo and
behold, rebuilding has done the trick! A simple

  $config['default_host'] = 'ssl://imap.some.domain';

without any additional options is now sufficient, and peer verification
obviously works, as I also verified using

  openssl s_client -showcerts -connect imap.some.domain:993

I'm obviously glad, but still, colour me surprised. :-P

-Ralph
_______________________________________________
Roundcube Users mailing list
users@lists.roundcube.net
http://lists.roundcube.net/mailman/listinfo/users

Reply via email to