XF 1.4 XenForo SMTP settings to work with PHP 5.6 using Self-Signed Certs

[Jawsh]

I am getting hundreds of these errors intermittently.

ErrorException: Email to xxx@xxx.xxx failed: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed - library/Zend/Mail/Protocol/Smtp.php:206

This only happened once I switched over to HHVM, which required PHP5.6 to run. The issue has to do with PHP5's updated SSL interfaces and security requirements. All resources I find on the error suggest that I change settings that look like this.

$mail->SMTPOptions = [
    'ssl' => [
        'verify_peer' => false,
        'verify_peer_name' => false,
       'allow_self_signed' => true
]];

This is apparently caused by PHP5.6 refusing to talk to the server with its self-signed cert. That needs to stop, immediately. Where can I change these settings in XenForo?

 

[TPerry]

You change it in php.ini.

 

[Jawsh]

You change it in php.ini.

Can you provide me documentation for this? I've been searching all day and the only thing I can find nothing on this. It appears to be an application level property.

 

[TPerry]

Can you provide me documentation for this? I've been searching all day and the only thing I can find nothing on this. It appears to be an application level property.

PHP 5.6.0 released

There was a lot of digging that it took to get it to work.. but in the end, the easies thing for me was getting a valid cert for the domain I do my mail serving from.

In a nutshell,

Stream wrappers now verify peer certificates and host names by default when using SSL/TLS ¶

All encrypted client streams now enable peer verification by default. By default, this will use OpenSSL's default CA bundle to verify the peer certificate. In most cases, no changes will need to be made to communicate with servers with valid SSL certificates, as distributors generally configure OpenSSL to use known good CA bundles.

The default CA bundle may be overridden on a global basis by setting either the openssl.cafile or openssl.capath configuration setting, or on a per request basis by using the cafile or capath context options.

While not recommended in general, it is possible to disable peer certificate verification for a request by setting the verify_peer context option to FALSE, and to disable peer name validation by setting the verify_peer_name context option to FALSE.

 

[Jawsh]

There was a lot of digging that it took to get it to work.. but in the end, the easies thing for me was getting a valid cert for the domain I do my mail serving from.

And thus this marks the only technical problem I've ever had that could only be resolved by spending money.

Thanks for the help, appears to be working fine.

 

[TPerry]

And thus this marks the only technical problem I've ever had that could only be resolved by spending money.

Thanks for the help, appears to be working fine.

Sometimes it's worth spending the $20 or so (I get multi-year) for the cert. I figured after I had researched/dug for about 3 hours my time was worth more than that an hour.