Hi all ! I have setup a mail server with ISPConfig 3.0.5 installed on a Debian Wheezy + Apache2 (from official Debian repositories). Mail is working OK. ISPConfig is working OK to administer the various mail functions (domains, mailboxes, postmaters, etc.). In the following, it will be referred as "ISPConfig server" I have a second server on the same network, running Debian Squeeze + Apache2 + RoundCube 0.9.2 (GPL). This webserver is running OK. Roundcube is running OK (IMAP login and mail management + SMTP + Sieve). This server will be referred to as "RoundCube server". I installed ISPConfig roundCube plugins by following this guide : https://github.com/w2c/ispconfig3_roundcube/wiki/Installation-Instructions-%28manual%29 and enabled the following ones in RoundCube config/main.inc.php : Code: $rcmail_config['plugins'] = array('jqueryui', 'managesieve', 'archive', 'contextmenu', 'copymessage', 'emoticons', 'help', 'markasjunk2', 'newmail_notifier', 'vcard_attachments', 'zipdownload', "ispconfig3_account", "ispconfig3_autoreply", "ispconfig3_pass", "ispconfig3_spam", "ispconfig3_fetchmail", "ispconfig3_filter", "ispconfig3_forward", "ispconfig3_wblist"); I configured the plugins/ispconfig3_account/config/config.inc.php as follow : Code: <?php $rcmail_config['identity_limit'] = false; $rcmail_config['remote_soap_user'] = 'ispc-remote-user'; $rcmail_config['remote_soap_pass'] = 'this_user_password'; $rcmail_config['soap_url'] = 'https://ip.of.ispconfig.server:ispc-admin-port/remote/'; ?> The ISPConfig server is accessed via its IPv4 address (no DNS involved). The ISPConfig server's port is the one ISPConfig asks to enter for managing the server. This IPort can be accessed via HTTPS only. The SSL certificate is one I generated myself (self-signed). I opened the firewall of the two servers to enable the RoundCube server to communicate with the ISPConfig server : the rules are pure IPTables, and are the same as IMAP, SIEVE and SMTP, which all work great (I just modify the port for each of the rules). When on the RoundCube server, I execute Code: wget --no-check-certificate https://ip.of.ispconfig.server:ispc-admin-port/remote/index.php I get a log in apache2 access_log on ISP that says wget has accessed an Apache2's web page : Code: ip.of.rc.serv - - [06/Aug/2013:16:48:38 -0400] "GET /remote/index.php HTTP/1.0" 200 0 "-" "Wget/1.12 (linux-gnu)" The resulting index.php file is empty (0 byte). So the 2 servers are communicating, even if the resulting file is empty. I open a RoundCube session, click on "Settings", then on "Account" : it's displaying an error : Soap Error: Could not connect to host I then used TCPdump to watch what was happening between the 2 servers when trying to display the "Account" tab in Roundcube : Code: 16:59:21.121496 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [S], seq 3442378815, win 5840, options [mss 1460,sackOK,TS val 995042221 ecr 0,nop,wscale 7], length 0 16:59:21.121548 IP ip.of.ispc.srv.ispcadm > ip.of.rc.srv.47628: Flags [S.], seq 3478404641, ack 3442378816, win 14480, options [mss 1460,sackOK,TS val 668296983 ecr 995042221,nop,wscale 5], length 0 16:59:21.122261 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [.], ack 1, win 46, options [nop,nop,TS val 995042221 ecr 668296983], length 0 16:59:21.122270 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [P.], seq 1:115, ack 1, win 46, options [nop,nop,TS val 995042221 ecr 668296983], length 114 16:59:21.122286 IP ip.of.ispc.srv.ispcadm > ip.of.rc.srv.47628: Flags [.], ack 115, win 453, options [nop,nop,TS val 668296983 ecr 995042221], length 0 16:59:21.133266 IP ip.of.ispc.srv.ispcadm > ip.of.rc.srv.47628: Flags [.], seq 1:1449, ack 115, win 453, options [nop,nop,TS val 668296985 ecr 995042221], length 1448 16:59:21.133337 IP ip.of.ispc.srv.ispcadm > ip.of.rc.srv.47628: Flags [P.], seq 1449:2479, ack 115, win 453, options [nop,nop,TS val 668296985 ecr 995042221], length 1030 16:59:21.133950 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [.], ack 1449, win 69, options [nop,nop,TS val 995042224 ecr 668296985], length 0 16:59:21.133961 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [.], ack 2479, win 91, options [nop,nop,TS val 995042224 ecr 668296985], length 0 16:59:21.134037 IP ip.of.rc.srv.47628 > ip.of.ispc.srv.ispcadm: Flags [R.], seq 115, ack 2479, win 91, options [nop,nop,TS val 995042224 ecr 668296985], length 0 On the last line, you can see that the TCP connection gets Reset (R flag) by the RoundCube server (or RoundCube ISPConfig plugin), then nothing happens anymore. I tried other ports (80 = HTTP, 443 = HTTPS) but none of them worked : I had 404 error codes with wget, but nothing with RoundCube ISPConfig plugin (SOAP error). I installed php-soap package on the RoundCube server (Debian Squeeze), but it gives the same error. I did search the Internet for some answers but couldn't find one, nor on the existing posts of this forum. I was wondering if the "SOAP" used by ISPConfig RoundCube plugins is checking the certificate validity, but I couldn't find anything about certificate verification concerning SOAP. Or anything to put in php.ini concerning curl, SSL or SOAP ? Any mean to enable some debug or any logs from those plugins and/or SOAP ? (they don't generate ANY log, even if I put some nonsens parameters in new SoapClient() line of account plugin, and I enabled RoundCube trace + log + show debug level either in file or via syslog). Or maybe PHP version ? (using Debian Squeeze php 5.3.3) Does anyone have a clue/solution ? Regards, Daggett
Tried to make a simple SOAP client : same result I tried to make a simple SOAP client : PHP: $username = 'xxxx'; $password = 'xxxx'; $soap_uri = 'https://ip.of.ispc.srv:ispcadminport/remote/'; $soap_location = $soap_uri . 'index.php'; $client = new SoapClient(null, array('location' => $soap_location, 'uri' => $soap_uri)); try { // Login to the remote server if($session_id = $client->login($username,$password)) echo 'Logged into remote server sucessfully. The SessionID is '.$session_id.''; // Logout if($client->logout($session_id)) { echo "Logged out of remote server sucessfully."; } } catch (SoapFault $e) { die('SOAP Error: '.$e->getMessage()); } TCPDump gives exacly the same sequence as pasted in my previous post. The SOAP error is exactly the same : SOAP Error: Could not connect to host. So maybe it's the SSL. I wrote a little script to test it : PHP: $fp = fsockopen("ssl://ip.of.ispc.srv", ispc_port, $errno, $errstr, 30); if (!$fp) { echo "$errstr ($errno)<br />\n"; } else { $out = "GET /remote/index.php HTTP/1.1\r\n"; $out .= "Host: hostname.of.ispc.srv\r\n"; $out .= "Connection: Close\r\n\r\n"; fwrite($fp, $out); while (!feof($fp)) { echo fgets($fp, 128); } fclose($fp); } And here is the result in apache's error_log : PHP Warning: fsockopen(): SSL operation failed with code 1. OpenSSL Error messages: error:14077458:SSL routines:func(119):reason(1112) in test.php on line 2 PHP Warning: fsockopen(): Failed to enable crypto in test.php on line 2 PHP Warning: fsockopen(): unable to connect to ssl://ip.of.ispc.src:ispcport (Unknown error) in test.php on line 2 And TCPDump gives EXACTLY the same sequence as for the SOAP test and for ISPConfig plugins. I modified the first line as follow : (adding "v3" to ssl://) PHP: $fp = fsockopen("sslv3://ip.of.ispc.srv", ispc_port, $errno, $errstr, 30); Now my test script works perfectly (connect OK, log OK in Apache on ISPConfig server). Then I tried to establish a connection using openssl s_client -sslX -connect ip.of.ispc.srvort : - when specifying -ssl2 (instead of -sslX) the connection failed - when specifying -ssl3 (instead of -sslX) the connection succeeds, So this must be an SSL version error. Searching for that kind of issue, I found this : https://github.com/php/php-src/pull/335 It states : Added SoapClient constructor option 'ssl_method' to specify ssl method. April 29, 2013 => Committed into PHP-5.5 and master. This commit is pretty new, and : - Debian Squeeze is using PHP 5.3.3, - Debian Wheezy is using PHP 5.4.4, - Ubuntu 12.04 has PHP 5.3.10, above have 5.4 Am I alone in my case ? Has anyone found a workaround ? (disabling SSL is NOT an option). I've read about some wrappers using cUrl but they are not directly usable for the ISPConfig plugins : http://www.php.net/manual/fr/soapclient.soapclient.php#97029 regards, Daggett
This works for me: I changed PHP: $client = new SoapClient($wsdl, $options); to PHP: $context = array( 'ssl' => array('ciphers'=>'RC4-SHA'));$options['stream_context'] = stream_context_create($context); $client = new SoapClient($wsdl, $options); So I only added a stream context to the SoapClient options. In this specific case: PHP: $context = array( 'ssl' => array('ciphers'=>'RC4-SHA'));$client = new SoapClient(null, array('location' => $soap_location, 'uri' => $soap_uri, 'stream_context' => stream_context_create($context)));
should also work with. $context = array( 'ssl' => array('verify_peer' => false, 'allow_self_signed' => true) ); $client = new SoapClient(null, array('location' => $soap_location, 'uri' => $soap_uri, 'stream_context' => stream_context_create($context))); i probably should add it to the plugins.
Thanks Croydon, I tried the code you list, but it still fails to connect (exactly the same RST flag in TCP connection). I also tried other ciphers, but none worked, plus the PHP manual says one can put SSLv3 as a cipher : this cipher includes all SSLv3 ciphers and it didn't work. So maybe there is some other parameters to put in there like to tell the client to not verify the certificate and its Common Name : I added those. PHP: $context = array( 'ssl' => array('ciphers'=>'SSLv3', 'verify_peer' => FALSE, 'allow_self_signed' => TRUE, 'CN_match' => 'ispconfig.common.name' ) ); If I understand correctly the way that SOAP client works with SSL until PHP 5.5 is : SSLv23, it means it tries to establish/negotiate a connection using SSLv2 (insecure), then once it is established/negotiated, it switches to the secure SSLv3. So maybe the ISPConfig server refuses any insecure SSLv2 connection. Regards, Daggett
That's a new thing in debian wheezy I think. In squeeze a sslv2 connection still worked, in wheezy it doesn't.
Thanks Horfic, I tried it, but didn't make things work. @Croydon : Do you think upgrading Squeeze -> Wheezy could resolve this ? (Though Wheezy's PHP version is 5.4, and the SOAP SSL param is for 5.5). Regards, Daggett
did somebody already got a solution which works for everybody? does somebody wants to make an issue at github repo or shall i do it?
Nope, no solution, I dropped SSL (HTTP instead of HTTPS) but I forward all inside a tunnel. So if you can make an issue at Github repo, please feel free to do it. regards, Daggett
Sorry about the thread necro. I was having similar issues and managed to get it to work on https using TLS 1.2 only (-SSLv2 -SSLv3) with Roundcube plugins. The php SoapClient stream context has to contain the relevant cipher (@Croydon's post above didn't cover my particular instance)). I can't post links below unfortunately... This is much easier to achieve now with PHP 5.6+, which comes bundled with updated OpenSSL crypto_methods. see: docs.php.net/manual/en/migration56.openssl.php#migration56.openssl.crypto-method Earlier versions of php will need to hardcode the cipher string. This string can be obtained via a shell command as detailed below: see: phil.lavin.me.uk/2014/04/how-to-force-tls-v1-0-in-php/ see: stackoverflow.com/questions/16547163/how-to-force-a-certain-tls-version-in-a-php-stream-context-for-the-ssl-transp Hopefully this helps somebody out there...
