Courier-IMAP with TLS and Roundcube - Diffie Hellman & PHP-5.6 issue

After upgrading to  php-5.6  and  openssl-1.0.1p  I realized that I couldn't connect to the IMAP server via Roundcube anymore. The solution wasn't easy to find. Searching the logs wasn't really helpful too. First I immediately restarted apache with  php-5.5  and downgraded openssl afterwards too. None of this was working.

Analysis

The only error message was in the Roundcube logfile ( logs/errors  ):

[date]: <16bq96e7> IMAP Error: Login failed for XX from <IPv4>. Unable to negotiate TLS in /var/www/roundcube/program/lib/Roundcube/rcube_imap.php on line 198 (POST /?_task=mail&_action=refresh?_task=&_action=)

Following this thread with variations of parameters of  $config['imap_conn_options']  doesn't solve the problem neither. Seems that the ssl changes in  php-5.6  are not the root cause. Instead smtp over TLS was still working well, but imap over TLS does not. I have to come back to this Roundcube issue later on,

As the error was “Unable to negotiate TLS …” I did

$ openssl s_client -starttls imap -connect imap.example.com:143
CONNECTED(00000003)
depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = NY, L = New York, O = Courier Mail Server, OU = Automatically-generated IMAP SSL key, CN = imap.example.com, emailAddress = postmaster@example.com
verify return:1
140049233454736:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3366:
---
Certificate chain
... <snip>

And what to see - it couldn't connect! See the error on line 8. I really hate this kind of openssl error messages, because I was never able to find an exact solution for such errors in the past. I figured out that the DH parameters is inside the  imapd.pem  file:

$ openssl dhparam -text -in /etc/courier/imapd.pem -noout
    PKCS#3 DH Parameters: (512 bit)
        prime:
            00:eb:cf:23:c6:09:1b:dd:d8:c6:ed:c5:c9:49:ff:
            ...
        generator: 2 (0x2)

Ok, 512 bit seems to be to small. Remembering some thoughts about 1024 bit DH parameters during the last weeks.

Solution

This is a roadmap what I did with my system. Change it to your needs!
We need a stronger DH prime. This blogpost points me in the right direction. Create a file  dhparams  if not exists:

DH_BITS=2048 mkdhparams

Usually (in my case) it was created in  /usr/share/  . Copy/move it into your courier config directory or create a symlink. Alternative you can replace the DH parameters in  imapd.pem  with the new value. Then the next step is not necessary, but be aware that it will be overwritten by a  mkimapdcert  .

I couldn't find any official documentation about it, but the parameter  TLS_DHCERTFILE  was replaced by  TLS_DHPARAMS  . Still in the config file (Courier IMAP 4.15) is the old one present only. Edit the config file  imapd-ssl  . Disable the  TLS_DHCERTFILE  parameter. Add

TLS_DHPARAMS="/etc/courier/dhparams.pem"

Restart the Courier IMAP server. And voila - the connection with  openssl s_client …  was successful. First issue solved, nevertheless

Roundcube

still doesn't work. So back to the Roundcube config file  config/config.inc.php  . After some try and error at least this was working for me:

$config['default_host'] = 'tls://imap.example.com';
$config['default_port'] = 143;
$config['smtp_server'] = 'tls://smtp.example.com';
...
$config['imap_conn_options'] = array(
    'ssl' => array(
      'verify_peer_name'  => true,
      'verify_peer'       => true,
      'allow_self_signed' => true,
      'peer_name'         => 'imap.example.com',
//    'ciphers'           => 'TLSv1+HIGH:!aNull:@STRENGTH',
//    'capath'            => '/etc/ssl/certs',
//    'local_cert'        => '/etc/courier/imapd.pem',
//    'verify_depth'      => '3';
    ),
);

The commented params above are still here as a reference. Please note that the webserver maybe does require a restart before the changes takes effect. Otherwise as I read, for smtp are no changes necessary.