# PHP imap SSL Certificate failure on newer Gentoo systems

## yolabingo

I think this may be a net-libs/c-client or openssl issue but it's over my head. No, I'm not using a self-signed cert, nor is it an SNI issue.

Several gentoo machines cannot connect to an imap/pop3 server via PHP's imap_open() using SSL or STARTTLS, unless it skips certificate validation.

In all cases the connection fails and says "PHP Notice:  Unknown: Certificate failure"

This problem occurs with any IMAP/POP3 server - I'm just using Outlook and Earthlnk as examples.

```
<?php imap_open('{outlook.office365.com:993/ssl/service=imap}',  'foo', 'bar');

...

PHP Notice:  Unknown: Certificate failure for outlook.office365.com: (null): /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=outlook.com (errflg=2) in Unknown on line 0 
```

Earthlink was the only server I could find not using a wildcard (I thought that might be causing a hostname mismatch). They use STARTTLS on port 143

```
<?php imap_open('{imap.earthlink.net:143/service=imap}',  'foo', 'bar');

...

PHP Notice:  Unknown: Certificate failure for imap.earthlink.net: (null): /OU=Domain Control Validated/OU=Hosted by WINDSTREAM COMMUNICATIONS, LLC/OU=COMODO SSL Unified Communications/CN=imap.earthlink.net (errflg=2) in Unknown on line 0 
```

The "Certificate failure for" error message comes from line 175 in ssl_unix.c of net-libs/c-client, which PHP uses for its IMAP implimentation.

```
c-client/ssl_unix.c-147-/* Start SSL/TLS negotiations

c-client/ssl_unix.c-148- * Accepts: open TCP stream of session

c-client/ssl_unix.c-149- *       user's host name

c-client/ssl_unix.c-150- *       flags

c-client/ssl_unix.c-151- * Returns: SSL stream if success else NIL

c-client/ssl_unix.c-152- */

c-client/ssl_unix.c-153-

c-client/ssl_unix.c-154-static SSLSTREAM *ssl_start (TCPSTREAM *tstream,char *host,unsigned long flags)

c-client/ssl_unix.c-155-{

c-client/ssl_unix.c-156-  char *reason,tmp[MAILTMPLEN];

c-client/ssl_unix.c-157-  sslfailure_t sf = (sslfailure_t) mail_parameters (NIL,GET_SSLFAILURE,NIL);

c-client/ssl_unix.c-158-  blocknotify_t bn = (blocknotify_t) mail_parameters (NIL,GET_BLOCKNOTIFY,NIL);

c-client/ssl_unix.c-159-  void *data = (*bn) (BLOCK_SENSITIVE,NIL);

c-client/ssl_unix.c-160-  SSLSTREAM *stream = (SSLSTREAM *) memset (fs_get (sizeof (SSLSTREAM)),0,

c-client/ssl_unix.c-161-                   sizeof (SSLSTREAM));

c-client/ssl_unix.c-162-  stream->tcpstream = tstream;   /* bind TCP stream */

c-client/ssl_unix.c-163-            /* do the work */

c-client/ssl_unix.c-164-  reason = ssl_start_work (stream,host,flags);

c-client/ssl_unix.c-165-  (*bn) (BLOCK_NONSENSITIVE,data);

c-client/ssl_unix.c-166-  if (reason) {         /* failed? */

c-client/ssl_unix.c-167-    ssl_close (stream);      /* failed to do SSL */

c-client/ssl_unix.c-168-    stream = NIL;      /* no stream returned */

c-client/ssl_unix.c-169-    switch (*reason) {      /* analyze reason */

c-client/ssl_unix.c-170-    case '*':         /* certificate failure */

c-client/ssl_unix.c-171-      ++reason;         /* skip over certificate failure indication */

c-client/ssl_unix.c-172-            /* pass to error callback */

c-client/ssl_unix.c-173-      if (sf) (*sf) (host,reason,flags);

c-client/ssl_unix.c-174-      else {         /* no error callback, build error message */

c-client/ssl_unix.c:175:   sprintf (tmp,"Certificate failure for %.80s: %.512s",host,reason);
```

Using /novalidate-cert or /notls in imap_open() allows the secure connections, and in the examples above I get authentication failure (in the case of bogus accounts above) or successful logins, as expected.

On servers with this issue, all versions of PHP are effected - from 5.6 - 7.3.

PHP built from source (not via portage) on these machines exhibits the same problem.

All machines involved use profile default/linux/amd64/17.0 (stable) and these versions of related software

```
app-misc/ca-certificates-20180409.3.37

dev-lang/php-5.6.40-r1

dev-lang/php-7.2.16

dev-lang/php-7.3.5

dev-libs/openssl-1.0.2r

net-libs/c-client-2007f-r6

virtual/imap-c-client-2

```

Switching to openssl 1.1 does not change things.

openssl cli tool will connect to these same servers without error

Curiously, I have a number of Gentoo machines that were os'ed years ago but are fairly up to date, and which do not exhibit this problem, even though they are running the same versions of openssl, c-client, and PHP. The machines that can't connect were clean installs within the last 18 months.

I have not been able to reproduce this on other Linux distros.

Strace shows the PHP client connects and retrieves the cert from the IMAP server, then it opens the appropriate CA cert in /etc/ssl/certs - both the old and new servers get this far. On the servers that fail, it appears to fail right after this.

I ran PHP through gdb while running imap_open() - it shows it delve into c-client then openssl to verify the cert, but I cannot tell what causes the failure

random breakpoint:

```
#1  0x00007ffff75a0d19 in X509_verify_cert () from /usr/lib64/libcrypto.so.1.0.0

#2  0x00007ffff7228eb8 in ssl_verify_cert_chain () from /usr/lib64/libssl.so.1.0.0

#3  0x00007ffff720306b in ssl3_get_server_certificate () from /usr/lib64/libssl.so.1.0.0

#4  0x00007ffff7208062 in ssl3_connect () from /usr/lib64/libssl.so.1.0.0

#5  0x00007ffff720cbb6 in ssl3_write_bytes () from /usr/lib64/libssl.so.1.0.0

#6  0x00007ffff78ae5ee in ?? () from /usr/lib64/libc-client.so.1

#7  0x00007ffff78eb81b in imap_open () from /usr/lib64/libc-client.so.1

#8  0x00007ffff78bd10a in mail_open_work () from /usr/lib64/libc-client.so.1

#9  0x00007ffff78c29b4 in mail_open () from /usr/lib64/libc-client.so.1

#10 0x00005555557e47a0 in php_imap_do_open (execute_data=<optimized out>, return_value=0x7ffff0e1d360, return_value=0x7ffff0e1d360, persistent=0) at /usr/local/src/php-7.2.19/ext/imap/php_imap.c:1255

#11 zif_imap_open () at /usr/local/src/php-7.2.19/ext/imap/php_imap.c:1276

#12 0x0000555555addfb9 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER () at /usr/local/src/php-7.2.19/Zend/zend_vm_execute.h:617

#13 execute_ex () at /usr/local/src/php-7.2.19/Zend/zend_vm_execute.h:59750

#14 0x0000555555ae5818 in zend_execute (op_array=0x7ffff0e862a0, return_value=0x0) at /usr/local/src/php-7.2.19/Zend/zend_vm_execute.h:63776

#15 0x0000555555a433d3 in zend_execute_scripts () at /usr/local/src/php-7.2.19/Zend/zend.c:1498

#16 0x00005555559e0b18 in php_execute_script () at /usr/local/src/php-7.2.19/main/main.c:2594

#17 0x0000555555ae7e1e in do_cli (argc=3, argv=0x555556590160) at /usr/local/src/php-7.2.19/sapi/cli/php_cli.c:1011

#18 0x00005555556d8a8f in main (argc=3, argv=0x555556590160) at /usr/local/src/php-7.2.19/sapi/cli/php_cli.c:1403 
```

 emerge --info

```
Portage 2.3.62 (python 3.6.5-final-0, default/linux/amd64/17.0, gcc-8.3.0, glibc-2.29-r2, 4.19.27-gentoo-r1 x86_64)

=================================================================

System uname: Linux-4.19.27-gentoo-r1-x86_64-Intel-R-_Core-TM-_i5-6400_CPU_@_2.70GHz-with-gentoo-2.6

KiB Mem:     8134824 total,   2701228 free

KiB Swap:    6143996 total,   3168788 free

Timestamp of repository gentoo: Thu, 16 May 2019 00:45:01 +0000

Head commit of repository gentoo: 25325bdf06b16da900135f4f50210affc9553a74

sh bash 4.4_p23-r1

ld GNU ld (Gentoo 2.30 p5) 2.30.0

ccache version 3.6 [disabled]

app-shells/bash:          4.4_p23-r1::gentoo

dev-java/java-config:     2.2.0-r4::gentoo

dev-lang/perl:            5.26.2::gentoo

dev-lang/python:          2.7.15::gentoo, 3.6.5::gentoo, 3.7.0::gentoo

dev-util/ccache:          3.6::gentoo

dev-util/cmake:           3.9.6::gentoo

dev-util/pkgconfig:       0.29.2::gentoo

sys-apps/baselayout:      2.6-r1::gentoo

sys-apps/openrc:          0.41.2::gentoo

sys-apps/sandbox:         2.13::gentoo

sys-devel/autoconf:       2.69-r4::gentoo

sys-devel/automake:       1.11.6-r3::gentoo, 1.16.1-r1::gentoo

sys-devel/binutils:       2.30-r4::gentoo, 2.31.1-r6::gentoo

sys-devel/gcc:            8.3.0-r1::gentoo

sys-devel/gcc-config:     2.0::gentoo

sys-devel/libtool:        2.4.6-r3::gentoo

sys-devel/make:           4.2.1-r4::gentoo

sys-kernel/linux-headers: 4.14-r1::gentoo (virtual/os-headers)

sys-libs/glibc:           2.29-r2::gentoo

Repositories:

gentoo

    location: /usr/portage

    sync-type: rsync

    sync-uri: rsync://rsync.gentoo.org/gentoo-portage

    priority: -1000

    sync-rsync-verify-jobs: 1

    sync-rsync-verify-max-age: 24

    sync-rsync-extra-opts: 

    sync-rsync-verify-metamanifest: no

fusion809

    location: /var/lib/layman/fusion809

    masters: gentoo

    priority: 50

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/apache2-php7.2/ext-active/ /etc/php/apache2-php7.3/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cgi-php7.2/ext-active/ /etc/php/cgi-php7.3/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/php/cli-php7.2/ext-active/ /etc/php/cli-php7.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe"

DISTDIR="/usr/portage/distfiles"

EMERGE_DEFAULT_OPTS="--ask-enter-invalid --jobs=16  --load-average 16"

ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"

FCFLAGS="-O2 -pipe"

FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"

FFLAGS="-O2 -pipe"

GENTOO_MIRRORS="http://mirror.usu.edu/mirrors/gentoo/ http://gentoo.cs.utah.edu/ http://mirrors.evowise.com/gentoo/"

LANG="en_US.utf8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="de es fr en"

MAKEOPTS="-j8 -l8"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"

PORTAGE_TMPDIR="/var/tmp"

USE="acl alsa amd64 berkdb bzip2 cli corefonts crypt cxx dri fortran gdbm iconv icu ipv6 libtirpc multilib ncurses nls nptl openmp pam pcre pulseaudio readline seccomp ssl tcpd truetype unicode vim-syntax xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 fma3 mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64 pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6 php7-2 php7-3" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6 python3_7" RUBY_TARGETS="ruby24" USERLAND="GNU" VIDEO_CARDS="intel nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

```

----------

## dwpaul

This seems to be an old post, but I just ran into the same issue after an upgrade to OpenSSL 1.1.

The patch posted to this bug (https://bugs.gentoo.org/683708) fixed it for me.

It seems that the original patch to c-client for OpenSSL 1.1 was broken ...

----------

## Krotos

 *dwpaul wrote:*   

> This seems to be an old post, but I just ran into the same issue after an upgrade to OpenSSL 1.1.
> 
> The patch posted to this bug (https://bugs.gentoo.org/683708) fixed it for me.
> 
> It seems that the original patch to c-client for OpenSSL 1.1 was broken ...

 

I'm having a similar problem after upgrading today to openssl-1.1.1d-r2.  When trying to connect to imap.gmail.com with Claws-Mail, I get an "SSL/TLS certificate changed and is invalid" error -- the new certificate's ownername is "invalid2.invalid" rather than "imap.gmail.com."  Hunting around on the internet, this seems to be related to openssl and c-client, but I'm pretty stuck beyond that.  I tried the patch above but the error is still happening.

----------

## Krotos

 *Krotos wrote:*   

>  *dwpaul wrote:*   This seems to be an old post, but I just ran into the same issue after an upgrade to OpenSSL 1.1.
> 
> The patch posted to this bug (https://bugs.gentoo.org/683708) fixed it for me.
> 
> It seems that the original patch to c-client for OpenSSL 1.1 was broken ... 
> ...

 

Turns out that this wasn't due to c-client at all, which wasn't even installed on my system originally.  I fixed the issue by setting '-ipv6' globally (including for claws-mail) and can now access gmail via imap.

(Not marking topic as Solved since I'm not the OP)

----------

## tld

Wow. Did this one have me going. I can confirm that I was getting the exact same errors as the original post using the PHP 7.3 imap_open() function, and applying the patch in the above bug to my current net-libs/c-client-2007f-r6 fixed it.

Tom

----------

## Banana

phew... I was lost but finally this patch in the mentioned bug solved it for me. I have also a fresh install and wondered why my code was not working anymore...

----------

