XF 1.5 Fixing stream_socket_enable_crypto() errors while sending mail

W1zzard

Well-known member
When using a self-signed SSL certificate on your e-mail server, you'll see the following error in your logs if you use PHP >5.6:

Code:
ErrorException: Email to foo@bar.com failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207

and

ErrorException: Email to foor@bar.com failed (after retry): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:207

The underlying issue is that PHP verifies certificates on SSL connection starting with version 5.6.

My fix:
edit: /library/Zend/Mail/Protocol/Smtp.php, find the line with stream_socket_enable_crypto(, add a line before

Code:
stream_context_set_option($this->_socket, 'ssl', 'verify_peer', false);
 
I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.
 
I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.
You seem to be right: https://github.com/guzzle/guzzle/issues/1256

Probably didn't notice that because my self-signed certs have the right name.

I was too cheap to get a valid SSL :)
 
There are free valid SSL providers available like StartSSL or Let's Encrypt. The latter requires a bit of setup and you'd want to automate renewal, but there are programs available. Or you can go with the former.
 
We are talking about e-mail servers here :)
I know ;) While Let's Encrypt is aimed primarily at HTTP, there's no real difference in the certificates as far as I know. I do know people are successfully using it for SMTP.

https://community.letsencrypt.org/t/use-on-non-web-servers/425/4

Possible in theory, if you write code around their renewal process.
I don't know if DNS validation has been added to the official client yet, but I do know it's in the works. After validation, all it does is output the certificate somewhere on the filesystem where the mail server could be configured to use it. A webserver and SMTP server could even use the same certificate.

Unfortunately SNI certs aren't free anywhere I know. Another problem could be that CAs won't issue for internal hostnames.
Maybe I'm mistaken, but doesn't SNI rely purely on the server and client both supporting it? I don't think there's anything special about the certificates themselves. Let's Encrypt does allow for having multiple domain names in one certificate as well.

https://community.letsencrypt.org/t/do-i-need-a-dedicated-ip-for-the-certificate/1113/

Of course, if your server doesn't have a FQDN then you won't be able to get a certificate for it.. though I don't see why you wouldn't have a FQDN configured.
 
I think to be "fully" correct, you should use both verify_peer and verify_peer_name set to false to get the old behavior.. or that was what I read many moons ago when I was researching it (and what my notes show). I just ended up getting a valid SSL for it myself.
installed php 5.6
how to disable
Code:
verify_peer
verify_peer_name
php.in function no data
 
I don't think you can disable it in php.ini. It would need to be disabled in the PHP code itself, though this isn't something we expose/support, so it would require manual code modifications (I'm not aware of what those would necessarily be).
 
Moved to version php 5.5.33, the errors are gone
Running an old version (which loses security support 07/2016 and has already lost active support) is not the answer. The answer was given earlier - simply get a free SSL cert and use it. It's not that hard to do and if you are competent enough to set up your own server and MTA then you should easily be able to integrate it.
 
How to fix this problem? Registration on my forum doesn't work, because I have a lot of errors such as:
ErrorException: Email to xxxxxxxxxxxx@gmail.com failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:206
Generated By: Unknown Account, 3 minut(y) temu
Stack Trace
#0 [internal function]: XenForo_Application::handlePhpError(2, 'stream_socket_e...', '/home/gsmxco/ww...', 206, Array)
#1 /home/gsmxco/www/library/Zend/Mail/Protocol/Smtp.php(206): stream_socket_enable_crypto(Resource id #16, true, 9)
#2 /home/gsmxco/www/library/Zend/Mail/Transport/Smtp.php(200): Zend_Mail_Protocol_Smtp->helo('localhost')
#3 /home/gsmxco/www/library/Zend/Mail/Transport/Abstract.php(348): Zend_Mail_Transport_Smtp->_sendMail()
#4 /home/gsmxco/www/library/Zend/Mail.php(1194): Zend_Mail_Transport_Abstract->send(Object(Zend_Mail))
#5 /home/gsmxco/www/library/XenForo/Mail.php(175): Zend_Mail->send(Object(Zend_Mail_Transport_Smtp))
#6 /home/gsmxco/www/library/XenForo/Mail.php(152): XenForo_Mail->sendMail(Object(Zend_Mail))
#7 /home/gsmxco/www/library/XenForo/Model/UserConfirmation.php(136): XenForo_Mail->send('c.nkone@gmail.c...', 'EjKolo')
#8 /home/gsmxco/www/library/XenForo/ControllerPublic/Register.php(424): XenForo_Model_UserConfirmation->sendEmailConfirmation(Array)
#9 /home/gsmxco/www/library/Tac/CustomImgCaptcha/ControllerPublic/Register.php(51): XenForo_ControllerPublic_Register->actionRegister()
#10 /home/gsmxco/www/library/XenForo/FrontController.php(347): Tac_CustomImgCaptcha_ControllerPublic_Register->actionRegister()
#11 /home/gsmxco/www/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#12 /home/gsmxco/www/index.php(13): XenForo_FrontController->run()
#13 {main}
Request State
array(3) {
["url"] => string(32) "http://gsmx.co/rejestracja/spoko"
["_GET"] => array(1) {
["/rejestracja/spoko"] => string(0) ""
}
["_POST"] => array(17) {
["username"] => string(0) ""
["d68f2068415727616293e903202de521"] => string(6) "xxxxxxxxxxx"
["2f28c0e5ad227f6d14f5671f2383f75b"] => string(17) "xxxxxxxxxxxx@gmail.com"
["47e09df0e0e883745abbaf19b254e147"] => string(4) "male"
["dob_month"] => string(1) "3"
["dob_day"] => string(2) "12"
["dob_year"] => string(4) "1991"
["005104860822a5685dd8bbe6e24cd814"] => string(16) "Europe/Amsterdam"
["slidercaptcha_validate_time"] => string(10) "1460534902"
["slidercaptcha_validate_hash"] => string(40) "8c921c4487cb6953e8d62431beb04b9eb64a0cb4"
["slidercaptcha_loaded"] => string(4) "true"
["slidercaptcha_fallback"] => string(9) "ReCaptcha"
["agree"] => string(1) "1"
["_xfToken"] => string(8) "********"
["reg_key"] => string(32) "d53b243b06e7496edbe67b544971c756"
}
}


I have domain on cloudflare, roundcube works great, but not registration.. :(
 
Top Bottom