XF 1.5 Fixing stream_socket_enable_crypto() errors while sending mail

[W1zzard]

When using a self-signed SSL certificate on your e-mail server, you'll see the following error in your logs if you use PHP >5.6:

ErrorException: Email to foo@bar.com failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207

and

ErrorException: Email to foor@bar.com failed (after retry): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207

The underlying issue is that PHP verifies certificates on SSL connection starting with version 5.6.

My fix:
edit: /library/Zend/Mail/Protocol/Smtp.php, find the line with stream_socket_enable_crypto(, add a line before

stream_context_set_option($this->_socket, 'ssl', 'verify_peer', false);

 

[TPerry]

I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.

 

[W1zzard]

I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.

You seem to be right: https://github.com/guzzle/guzzle/issues/1256

Probably didn't notice that because my self-signed certs have the right name.

I was too cheap to get a valid SSL

 

[Jeremy P]

There are free valid SSL providers available like StartSSL or Let's Encrypt. The latter requires a bit of setup and you'd want to automate renewal, but there are programs available. Or you can go with the former.

 

[W1zzard]

Let's Encrypt

We are talking about e-mail servers here Possible in theory, if you write code around their renewal process.

Unfortunately SNI certs aren't free anywhere I know. Another problem could be that CAs won't issue for internal hostnames.

 

[Jeremy P]

We are talking about e-mail servers here

I know While Let's Encrypt is aimed primarily at HTTP, there's no real difference in the certificates as far as I know. I do know people are successfully using it for SMTP.

https://community.letsencrypt.org/t/use-on-non-web-servers/425/4

Possible in theory, if you write code around their renewal process.

I don't know if DNS validation has been added to the official client yet, but I do know it's in the works. After validation, all it does is output the certificate somewhere on the filesystem where the mail server could be configured to use it. A webserver and SMTP server could even use the same certificate.

Unfortunately SNI certs aren't free anywhere I know. Another problem could be that CAs won't issue for internal hostnames.

Maybe I'm mistaken, but doesn't SNI rely purely on the server and client both supporting it? I don't think there's anything special about the certificates themselves. Let's Encrypt does allow for having multiple domain names in one certificate as well.

https://community.letsencrypt.org/t/do-i-need-a-dedicated-ip-for-the-certificate/1113/

Of course, if your server doesn't have a FQDN then you won't be able to get a certificate for it.. though I don't see why you wouldn't have a FQDN configured.

 

[TPerry]

I know While Let's Encrypt is aimed primarily at HTTP, there's no real difference in the certificates as far as I know. I do know people are successfully using it for SMTP.

Which is what my MX server does. I just used the same one that I had set up for HTTP on Postfix.

 

[step-83]

I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.

installed php 5.6
how to disable

verify_peer
verify_peer_name

php.in function no data

 

[Mike]

I don't think you can disable it in php.ini. It would need to be disabled in the PHP code itself, though this isn't something we expose/support, so it would require manual code modifications (I'm not aware of what those would necessarily be).

 

[TPerry]

installed php 5.6
how to disable

verify_peer
verify_peer_name

php.in function no data

http://au2.php.net/manual/en/migration56.openssl.php
very bottom of page.. you will have to disable it via the PHP code itself.
Or, simply get a free cert via letsencrypt and use it.. and use a CRON job to renew it automatically (that's what I'm doing).

 

[step-83]

I use a free certificate cloudflare.com
how to be?

 

[Mike]

This particular issue relates to SMTP so your certificate from CloudFlare wouldn't apply.

 

[step-83]

Moved to version php 5.5.33, the errors are gone

 

[TPerry]

Moved to version php 5.5.33, the errors are gone

Running an old version (which loses security support 07/2016 and has already lost active support) is not the answer. The answer was given earlier - simply get a free SSL cert and use it. It's not that hard to do and if you are competent enough to set up your own server and MTA then you should easily be able to integrate it.

 

[otto]

The same problem here - also after switching from php 5.3.x to 5.6.x . I use now the Lets Encrypt SSL certificate but that solves not the errors.

Error Log Entrys: https://xenforo.com/community/threads/error-log-entrys-ssl-email.114582/

Is there any solution for this? I use the php version installed over Plesk 12.5 on a Ubuntu 14.04 LTS Server - what can I do to fix it?

 

[CNK]

How to fix this problem? Registration on my forum doesn't work, because I have a lot of errors such as:

ErrorException: Email to xxxxxxxxxxxx@gmail.com failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:206
Generated By: Unknown Account, 3 minut temu
Stack Trace
#0 [internal function]: XenForo_Application::handlePhpError(2, 'stream_socket_e...', '/home/gsmxco/ww...', 206, Array)
#1 /home/gsmxco/www/library/Zend/Mail/Protocol/Smtp.php(206): stream_socket_enable_crypto(Resource id #16, true, 9)
#2 /home/gsmxco/www/library/Zend/Mail/Transport/Smtp.php(200): Zend_Mail_Protocol_Smtp->helo('localhost')
#3 /home/gsmxco/www/library/Zend/Mail/Transport/Abstract.php(348): Zend_Mail_Transport_Smtp->_sendMail()
#4 /home/gsmxco/www/library/Zend/Mail.php(1194): Zend_Mail_Transport_Abstract->send(Object(Zend_Mail))
#5 /home/gsmxco/www/library/XenForo/Mail.php(175): Zend_Mail->send(Object(Zend_Mail_Transport_Smtp))
#6 /home/gsmxco/www/library/XenForo/Mail.php(152): XenForo_Mail->sendMail(Object(Zend_Mail))
#7 /home/gsmxco/www/library/XenForo/Model/UserConfirmation.php(136): XenForo_Mail->send('c.nkone@gmail.c...', 'EjKolo')
#8 /home/gsmxco/www/library/XenForo/ControllerPublic/Register.php(424): XenForo_Model_UserConfirmation->sendEmailConfirmation(Array)
#9 /home/gsmxco/www/library/Tac/CustomImgCaptcha/ControllerPublic/Register.php(51): XenForo_ControllerPublic_Register->actionRegister()
#10 /home/gsmxco/www/library/XenForo/FrontController.php(347): Tac_CustomImgCaptcha_ControllerPublic_Register->actionRegister()
#11 /home/gsmxco/www/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#12 /home/gsmxco/www/index.php(13): XenForo_FrontController->run()
#13 {main}
Request State
array(3) {
["url"] => string(32) "http://gsmx.co/rejestracja/spoko"
["_GET"] => array(1) {
["/rejestracja/spoko"] => string(0) ""
}
["_POST"] => array(17) {
["username"] => string(0) ""
["d68f2068415727616293e903202de521"] => string(6) "xxxxxxxxxxx"
["2f28c0e5ad227f6d14f5671f2383f75b"] => string(17) "xxxxxxxxxxxx@gmail.com"
["47e09df0e0e883745abbaf19b254e147"] => string(4) "male"
["dob_month"] => string(1) "3"
["dob_day"] => string(2) "12"
["dob_year"] => string(4) "1991"
["005104860822a5685dd8bbe6e24cd814"] => string(16) "Europe/Amsterdam"
["slidercaptcha_validate_time"] => string(10) "1460534902"
["slidercaptcha_validate_hash"] => string(40) "8c921c4487cb6953e8d62431beb04b9eb64a0cb4"
["slidercaptcha_loaded"] => string(4) "true"
["slidercaptcha_fallback"] => string(9) "ReCaptcha"
["agree"] => string(1) "1"
["_xfToken"] => string(8) "********"
["reg_key"] => string(32) "d53b243b06e7496edbe67b544971c756"
}
}

I have domain on cloudflare, roundcube works great, but not registration..

 

[AndreaMarucci]

Have had the same problem suddenly using Mailgun. Switched to port 25 with no TLS/SSL and it worked.

 

[otto]

Switched to port 25

In Xenforo ACP?

 

[AndreaMarucci]

Yes! Now it works perfectly but don't ask me why... :-D