When roundcube connects to an imap or smtp server it's being a client therefore I think it would be logical that the client needs to validate the chain. When you are connecting to roundcube webinterface you are connecting to the server serving it, in that setting the browser is the client and the apache/nginx being the server. It's all a matter of who is the client and who is the server perspective as in who needs to validate and who needs to show they have a valid chain.
On 03/03/2018 12:44 PM, Reindl Harald wrote: > > > Am 03.03.2018 um 12:29 schrieb Reindl Harald: >> Am 03.03.2018 um 10:08 schrieb Maarten: >>> If I understand ssl correctly I don't see the point to putting >>> fullchain.pem letsencrypt there, because of the following. Your browser >>> has the Root certificates installed, a php application does not. So >>> when >>> >>> you go to a webpage using letsencrypt certificates . You will see >>> something like this: >>> >>> DST Root CA X2 --> Root Certificate in browser >>> >>> Let's encrypt Authority X3 --> >>> >>> webmail.yourdomain.com --> your certificate >>> >>> >>> So the web browser uses the Root Certificate to verify the chain of >>> certificates to be valid. As far as I know a php application has no way >>> knowing if the service it's connecting to is using a valid ssl chain, I >>> don't know enough about php to be sure about this but sounds >>> correct. If >>> I am wrong about this someone may correct me about this and explain it >>> to me how this works in php. >> >> exactly the same way as on the browser side >> no idea why you think PHP is special here >> >> "As far as I know a php application has no way knowing if the service >> it's connecting to is using a valid ssl chain" is pure bullshit - get >> a proper maintained operating system and you have all working >> out-of-the-box >> >> http://php.net/manual/en/migration56.openssl.php >> >> All encrypted client streams now enable peer verification by default. >> By default, this will use OpenSSL's default CA bundle to verify the >> peer certificate. In most cases, no changes will need to be made to >> communicate with servers with valid SSL certificates, as distributors >> generally configure OpenSSL to use known good CA bundles > it's using even the same ca-bundle than everything else on the system, > the ca-bundle from mozilla - frankly do you think the php-devleopers > are idiots and enable verification by default when it won't work on > any reasonable server? > > [harry@srv-rhsoft:~]$ rpm -q --filesbypkg > openssl-libs-1.1.0g-1.fc27.x86_64 > openssl-libs /etc/pki/tls > openssl-libs /etc/pki/tls/certs > openssl-libs /etc/pki/tls/misc > openssl-libs /etc/pki/tls/openssl.cnf > openssl-libs /etc/pki/tls/private > .... > > [harry@srv-rhsoft:~]$ ls /etc/pki/tls/certs > total 4.0K > -rw-r--r-- 1 root root 2.5K 2017-11-06 09:24 Makefile > lrwxrwxrwx 1 root root 49 2018-02-06 14:48 ca-bundle.crt -> > /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > lrwxrwxrwx 1 root root 55 2018-02-06 14:48 ca-bundle.trust.crt -> > /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt > > [harry@srv-rhsoft:~]$ rpm -q --file > /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > ca-certificates-2018.2.22-1.0.fc27.noarch > > [harry@srv-rhsoft:~]$ rpm -q --info > ca-certificates-2018.2.22-1.0.fc27.noarch > Name : ca-certificates > Version : 2018.2.22 > Release : 1.0.fc27 > Architecture: noarch > Install Date: Thu Feb 8 09:43:10 2018 > Group : System Environment/Base > Size : 974873 > License : Public Domain > Signature : RSA/SHA256, Tue Feb 6 14:57:19 2018, Key ID > f55e7430f5282ee4 > Source RPM : ca-certificates-2018.2.22-1.0.fc27.src.rpm > Build Date : Tue Feb 6 14:48:33 2018 > Build Host : buildvm-ppc64le-04.ppc.fedoraproject.org > Relocations : (not relocatable) > Packager : Fedora Project > Vendor : Fedora Project > URL : https://fedoraproject.org/wiki/CA-Certificates > Summary : The Mozilla CA root certificate bundle > Description : > This package contains the set of CA certificates chos _______________________________________________ Roundcube Users mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/users
