On 11.08.2017 09:40, Michael Grimm wrote:
I had had to install FreeBSD's ca_root_nss port [1] as well. Do you have those root certificates in place at your host running roundcube?
The Gentoo equivalent package is app-misc/ca-certificates, and yes, it is installed. Additionally, I manually placed certs for my own CA and for Let's Encrypt CAs into /usr/local/share/ca-certificates, which is Gentoo's recommended method of providing additional CA information. My php.ini contains
openssl.cafile=/etc/ssl/certs/ca-certificates.crt
which is generated by Gentoo and contains all certs in one big file (See "man update-ca-certificates").
What I have done today is to rebuild OpenSSL, PHP and even Apache, in that order. It seemed a long shot, but I had run out of ideas. Lo and behold, rebuilding has done the trick! A simple
$config['default_host'] = 'ssl://imap.some.domain';
without any additional options is now sufficient, and peer verification obviously works, as I also verified using
openssl s_client -showcerts -connect imap.some.domain:993
I'm obviously glad, but still, colour me surprised. :-P
-Ralph