Asked  7 Months ago    Answers:  5   Viewed   281 times

I am using PHPMailer on PHP 5.6, the increased security around certificated in PHP 5.6 is certainly fun.

I am trying to send a test message to a domain hosted on dreamhost, the error that comes back from PHPMailer is: Could not connect to SMTP host.

That error is not right though, I have logging enabled and here is what is actually going on.

Connection: opening to mx1.sub4.homie.mail.dreamhost.com:25, timeout=30, options=array ( ) Connection: opened S: 220 homiemail-mx32.g.dreamhost.com ESMTP

C: EHLO s81a.ikbb.com

S: 250-homiemail-mx32.g.dreamhost.com 250-PIPELINING 250-SIZE 40960000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 8BITMIME

C: STARTTLS

S: 220 2.0.0 Ready to start TLS

C: QUIT

S: SMTP ERROR: QUIT command failed: Connection: closed

I could not understand why PHPMailer just gives up, issuing a QUIT command when it should start sending the message. I got another clue from another log:

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php

If I use some custom options to prevent validation of the cert they are using I can get it to continue. Here is what I have:

        $mail->SMTPOptions = array (
        'ssl' => array(
            'verify_peer'  => false,
            'verify_peer_name'  => false,
            'allow_self_signed' => true));

If I put the SMTPOptions in there and skip the peer verification, message goes OK - with no warning in PHP at all.

How can I trap that error, so I know there is an issue but still send the message?

 Answers

46

I had the same problem and I found the answer in the PHPMailer documentation.

PHP 5.6 certificate verification failure

In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.

Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.

Wednesday, March 31, 2021
 
alioygur
answered 7 Months ago
96

in you php.ini make sure you have uncommented the line with

extension=php_openssl.dll
Wednesday, March 31, 2021
 
avon_verma
answered 7 Months ago
52

The OAuth extension uses curl to make the request. By default CURL will generally verify the SSL certificate to see if its valid an issued by an accepted CA. To do this, curl uses a bundled set of CA certificates.

You can either disable the SSL checks ($oauth->disableSSLChecks()). Or ensure that you have a current version of curl. More information on curl certification verification.

Wednesday, March 31, 2021
 
kinske
answered 7 Months ago
96

You can compile the openssl extension.

first step : download the php source in the version you are using .

then run command:

tar zxvf php-yourphpversion.tar.gz
cd php-yourphpversion/ext/openssl/

#notice if you have error  "cannot find config.m4" when run phpize , you   
#should   rename the file "config0.m4" to "config.m4" by command
#"mv config0.m4 config.m4"


/usr/local/php/bin/phpize     #here is your php location have install 
                              #in my computer ,the php is location in 
                              # /usr/local/php/ so the phpize is in
                              # /usr/local/php/bin/phpize


                                             #(your php location)/bin/php-config                                        
./configure --with-openssl --with-php-config=/usr/local/php/bin/php-config
make
sudo make install

then the openssl will install and return a path in my computer it return /usr/local/php/lib/php/extensions/debug-zts-20160303/

finally modify php.ini and restart php-fpm :

extension_dir = "the path return after install"   #you should add the return path here
extension=openssl.so
Saturday, May 29, 2021
 
JustSteveKing
answered 5 Months ago
21

Have you tried to call openssl_verify() with a (maybe self-signed) certificate containing your public key instead of a pure public key ?

As far as I know, some PHP OpenSSL functions do not properly support naked public keys although it seems strange that it does verify correctly in spite of the error.

<?php
$private = openssl_pkey_get_private(file_get_contents('private'), 'passphrase');

// This causes the "no start line" error when using a naked public key:
$public  = openssl_pkey_get_public(file_get_contents('public')); // <-- this should be cert

echo openssl_error_string()."n";

openssl_sign('Test', $sig, $private);
var_dump(openssl_verify('Test', $sig, $public));

echo openssl_error_string()."n";
?>

Example for converting a public key to a simple certificate in a Linux/UNIX shell such as bash (refer to the OpenSSL documentation or some tutorials for more):

# Create certificate request
openssl req -new -days 3600 -key [PRIVATE-KEY-FILE] -out [REQUEST-TMP-FILE]

# Create certificate from request
RANDFILE=[RANDOM-TMP-FILE] openssl x509 -req -in [REQUEST-TMP-FILE] -signkey [PRIVATE-KEY-FILE] -out [CERTIFICATE-OUT-FILE]

This will also create temporary files you might want to delete afterwards, namely [REQUEST-TMP-FILE] and [RANDOM-TMP-FILE].

PHP sample code can be found at http://de.php.net/manual/en/function.openssl-csr-new.php.

Tuesday, August 3, 2021
 
123r789
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :