PHP Classes

PHP 5.6 Changes to OpenSSL

Recommend this page to a friend!

      SMTP E-mail sending class  >  All threads  >  PHP 5.6 Changes to OpenSSL  >  (Un) Subscribe thread alerts  
Subject:PHP 5.6 Changes to OpenSSL
Summary:Class needs a way to stop forced peer certificate verification.
Messages:7
Author:Klemen
Date:2014-09-07 06:36:21
 

  1. PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Klemen Klemen - 2014-09-07 06:36:21
Hello,

This is not actually a problem with the SMTP class, but rather a feature request.

With the release of PHP 5.6 there have been some changes in OpenSSL. Stream wrappers now verify peer certificates and host names by default when using SSL/TLS:
php.net/manual/en/migration56.opens ...

Even with servers like smtp.gmail.com the class now fails TLS connection because of mismatched certificate CN values.

If this is not a coding-related issue, the class needs a way to turn peer verification off.

I solved issue with TLS connection to smtp.gmail.com like this:

1. find line

$this->OutputDebug('Starting TLS cryptograpic protocol');

2. BELOW that line add

$contextOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
),
);
stream_context_set_option($this->connection, $contextOptions );

  2. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2014-09-07 06:47:45 - In reply to message 1 from Klemen
I can add that feature, but why is it failing the certificate verification for you?

  3. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Klemen Klemen - 2014-09-07 15:51:28 - In reply to message 2 from Manuel Lemos
This is what I get if I don't turn off peer verification:


Resolving SMTP server domain "smtp.gmail.com"...
Connecting to host address "74.125.136.108" port 587...
Connected to SMTP server "smtp.gmail.com".
S 220 mx.google.com ESMTP h3sm8086882wjz.24 - gsmtp
C EHLO 127.0.0.1
S 250-mx.google.com at your service, [193.77.156.113]
S 250-SIZE 35882577
S 250-8BITMIME
S 250-STARTTLS
S 250-ENHANCEDSTATUSCODES
S 250-PIPELINING
S 250-CHUNKING
S 250 SMTPUTF8
C STARTTLS
S 220 2.0.0 Ready to start TLS
Starting TLS cryptograpic protocol
<br />
<b>Warning</b>: stream_socket_enable_crypto(): Peer certificate CN=`smtp.gmail.com' did not match expected CN=`74.125.136.108' in <b>\projects\test\inc\mail\smtp.php</b> on line <b>1265</b><br />

  4. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Klemen Klemen - 2014-11-22 13:22:15 - In reply to message 3 from Klemen
The problems seems to be that the certificate is issued to "smtp.gmail.com", but the SMTP Email sending class sends IP address 74.125.136.108 rather than smtp.gmail.com host name to the stream_socket_enable_crypto() ?

  5. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2014-11-23 04:08:07 - In reply to message 4 from Klemen
Yes, the class tries to resolve the IP to see if it is correct before sending but the SSL protocol requires host name.

So the solution is not to disable peer verification, but rather the use the host name always for SSL connection.

The class was just fixed to do that. Thanks for reporting. Just let me know if you find other issues.

  6. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of korlerpoh ibrahim korlerpoh ibrahim - 2020-07-01 21:27:57 - In reply to message 5 from Manuel Lemos
Please I'm experiencing the same problem as klemen now, can you share the link to the new class that has been updated to fix the openssl certificate problem for newer versions of PHP?

  7. Re: PHP 5.6 Changes to OpenSSL   Reply   Report abuse  
Picture of Manuel Lemos Manuel Lemos - 2020-07-02 00:36:52 - In reply to message 6 from korlerpoh ibrahim
Hello korlerpoh,

The package page is the same:

phpclasses.org/package/14-PHP-Sends ...

Can you tell us what is the exact error message you are seeing so we can tell if it is the same problem?