1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

XF 1.5 Fixing stream_socket_enable_crypto() errors while sending mail

Discussion in 'Troubleshooting and Problems' started by W1zzard, Jan 11, 2016.

  1. W1zzard

    W1zzard Well-Known Member

    When using a self-signed SSL certificate on your e-mail server, you'll see the following error in your logs if you use PHP >5.6:

    Code:
    ErrorException: Email to foo@bar.com failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207
    
    and
    
    ErrorException: Email to foor@bar.com failed (after retry): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207
    
    The underlying issue is that PHP verifies certificates on SSL connection starting with version 5.6.

    My fix:
    edit: /library/Zend/Mail/Protocol/Smtp.php, find the line with stream_socket_enable_crypto(, add a line before

    Code:
    stream_context_set_option($this->_socket, 'ssl', 'verify_peer', false);
    
     
  2. Tracy Perry

    Tracy Perry Well-Known Member

    I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.
     
  3. W1zzard

    W1zzard Well-Known Member

    You seem to be right: https://github.com/guzzle/guzzle/issues/1256

    Probably didn't notice that because my self-signed certs have the right name.

    I was too cheap to get a valid SSL :)
     
  4. Jeremy P

    Jeremy P Well-Known Member

    There are free valid SSL providers available like StartSSL or Let's Encrypt. The latter requires a bit of setup and you'd want to automate renewal, but there are programs available. Or you can go with the former.
     
  5. W1zzard

    W1zzard Well-Known Member

    We are talking about e-mail servers here :) Possible in theory, if you write code around their renewal process.

    Unfortunately SNI certs aren't free anywhere I know. Another problem could be that CAs won't issue for internal hostnames.
     
  6. Jeremy P

    Jeremy P Well-Known Member

    I know ;) While Let's Encrypt is aimed primarily at HTTP, there's no real difference in the certificates as far as I know. I do know people are successfully using it for SMTP.

    https://community.letsencrypt.org/t/use-on-non-web-servers/425/4

    I don't know if DNS validation has been added to the official client yet, but I do know it's in the works. After validation, all it does is output the certificate somewhere on the filesystem where the mail server could be configured to use it. A webserver and SMTP server could even use the same certificate.

    Maybe I'm mistaken, but doesn't SNI rely purely on the server and client both supporting it? I don't think there's anything special about the certificates themselves. Let's Encrypt does allow for having multiple domain names in one certificate as well.

    https://community.letsencrypt.org/t/do-i-need-a-dedicated-ip-for-the-certificate/1113/

    Of course, if your server doesn't have a FQDN then you won't be able to get a certificate for it.. though I don't see why you wouldn't have a FQDN configured.
     
  7. Tracy Perry

    Tracy Perry Well-Known Member

    Which is what my MX server does. I just used the same one that I had set up for HTTP on Postfix.
     
    Jeremy P likes this.
  8. step-83

    step-83 Member

    installed php 5.6
    how to disable
    Code:
    verify_peer
    verify_peer_name
    php.in function no data
     
  9. Mike

    Mike XenForo Developer Staff Member

    I don't think you can disable it in php.ini. It would need to be disabled in the PHP code itself, though this isn't something we expose/support, so it would require manual code modifications (I'm not aware of what those would necessarily be).
     
  10. Tracy Perry

    Tracy Perry Well-Known Member

    http://au2.php.net/manual/en/migration56.openssl.php
    very bottom of page.. you will have to disable it via the PHP code itself.
    Or, simply get a free cert via letsencrypt and use it.. and use a CRON job to renew it automatically (that's what I'm doing).
     
    step-83 and eva2000 like this.
  11. step-83

    step-83 Member

    I use a free certificate cloudflare.com
    how to be?
     
  12. Mike

    Mike XenForo Developer Staff Member

    This particular issue relates to SMTP so your certificate from CloudFlare wouldn't apply.
     
  13. step-83

    step-83 Member

    Moved to version php 5.5.33, the errors are gone
     
  14. Tracy Perry

    Tracy Perry Well-Known Member

    Running an old version (which loses security support 07/2016 and has already lost active support) is not the answer. The answer was given earlier - simply get a free SSL cert and use it. It's not that hard to do and if you are competent enough to set up your own server and MTA then you should easily be able to integrate it.
     
    step-83 likes this.
  15. otto

    otto Well-Known Member

    The same problem here - also after switching from php 5.3.x to 5.6.x . I use now the Lets Encrypt SSL certificate but that solves not the errors.

    Error Log Entrys: https://xenforo.com/community/threads/error-log-entrys-ssl-email.114582/

    Is there any solution for this? I use the php version installed over Plesk 12.5 on a Ubuntu 14.04 LTS Server - what can I do to fix it?
     
  16. CNK

    CNK Active Member

    How to fix this problem? Registration on my forum doesn't work, because I have a lot of errors such as:

    I have domain on cloudflare, roundcube works great, but not registration.. :(
     

Share This Page