Reasons why PHP stream_socket_enable_crypto() returns FALSE?
I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.
I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.
I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.
Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.
It's not an authentication issue since I do get path enabling TLS on the socket.
Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?
EDIT:
If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.
Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.
php zend-framework zend-framework3
asked Nov 22 at 20:42
Eric Richer
357
|
show 4 more comments
I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.
I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.
I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.
Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.
It's not an authentication issue since I do get path enabling TLS on the socket.
Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?
EDIT:
If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.
Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.
php zend-framework zend-framework3
asked Nov 22 at 20:42
Eric Richer
357
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to usestream_socket_context_create()to set the options to ensure that PHP recognizes that certificate.
– miken32
Nov 26 at 20:35
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25
|
show 4 more comments
I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.
I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.
I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.
Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.
It's not an authentication issue since I do get path enabling TLS on the socket.
Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?
EDIT:
If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.
Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.
php zend-framework zend-framework3
asked Nov 22 at 20:42
Eric Richer
357
I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.
I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.
I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.
Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.
It's not an authentication issue since I do get path enabling TLS on the socket.
Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?
EDIT:
If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.
Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.
php zend-framework zend-framework3
php zend-framework zend-framework3
asked Nov 22 at 20:42
Eric Richer
357
asked Nov 22 at 20:42
Eric Richer
357
edited Nov 23 at 22:52
asked Nov 22 at 20:42
Eric Richer
357
asked Nov 22 at 20:42
Eric Richer
357
asked Nov 22 at 20:42
Eric Richer
357
357
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to usestream_socket_context_create()to set the options to ensure that PHP recognizes that certificate.
– miken32
Nov 26 at 20:35
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25
|
show 4 more comments
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to usestream_socket_context_create()to set the options to ensure that PHP recognizes that certificate.
– miken32
Nov 26 at 20:35
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use
stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.– miken32
Nov 26 at 20:35
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use
stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.– miken32
Nov 26 at 20:35
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25
|
show 4 more comments
1 Answer
1
active
oldest
votes
After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.
openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt
The php.ini file has the following comment concerning openssl.capath:
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.
answered Nov 27 at 14:26
Eric Richer
357
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437771%2freasons-why-php-stream-socket-enable-crypto-returns-false%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.
openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt
The php.ini file has the following comment concerning openssl.capath:
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.
answered Nov 27 at 14:26
Eric Richer
357
add a comment |
After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.
openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt
The php.ini file has the following comment concerning openssl.capath:
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.
answered Nov 27 at 14:26
Eric Richer
357
add a comment |
After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.
openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt
The php.ini file has the following comment concerning openssl.capath:
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.
answered Nov 27 at 14:26
Eric Richer
357
After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.
openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt
The php.ini file has the following comment concerning openssl.capath:
; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.
By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.
answered Nov 27 at 14:26
Eric Richer
357
answered Nov 27 at 14:26
Eric Richer
357
answered Nov 27 at 14:26
Eric Richer
357
answered Nov 27 at 14:26
Eric Richer
357
357
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437771%2freasons-why-php-stream-socket-enable-crypto-returns-false%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 at 23:01
stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 at 19:55
The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use
stream_socket_context_create()to set the options to ensure that PHP recognizes that certificate.– miken32
Nov 26 at 20:35
The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 at 0:23
The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 at 0:25