Reasons why PHP stream_socket_enable_crypto() returns FALSE?












0














I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.



I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.



I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.



Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.



It's not an authentication issue since I do get path enabling TLS on the socket.



Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?



EDIT:



If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.



Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.










share|improve this question
























  • From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
    – miken32
    Nov 23 '18 at 23:01










  • stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
    – Eric Richer
    Nov 26 '18 at 19:55










  • The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
    – miken32
    Nov 26 '18 at 20:35










  • The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
    – Eric Richer
    Nov 27 '18 at 0:23










  • The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
    – miken32
    Nov 27 '18 at 0:25
















0














I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.



I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.



I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.



Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.



It's not an authentication issue since I do get path enabling TLS on the socket.



Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?



EDIT:



If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.



Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.










share|improve this question
























  • From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
    – miken32
    Nov 23 '18 at 23:01










  • stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
    – Eric Richer
    Nov 26 '18 at 19:55










  • The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
    – miken32
    Nov 26 '18 at 20:35










  • The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
    – Eric Richer
    Nov 27 '18 at 0:23










  • The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
    – miken32
    Nov 27 '18 at 0:25














0












0








0







I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.



I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.



I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.



Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.



It's not an authentication issue since I do get path enabling TLS on the socket.



Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?



EDIT:



If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.



Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.










share|improve this question















I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.



I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.



I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.



Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.



It's not an authentication issue since I do get path enabling TLS on the socket.



Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?



EDIT:



If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.



Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.







php zend-framework zend-framework3






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 23 '18 at 22:52

























asked Nov 22 '18 at 20:42









Eric Richer

357




357












  • From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
    – miken32
    Nov 23 '18 at 23:01










  • stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
    – Eric Richer
    Nov 26 '18 at 19:55










  • The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
    – miken32
    Nov 26 '18 at 20:35










  • The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
    – Eric Richer
    Nov 27 '18 at 0:23










  • The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
    – miken32
    Nov 27 '18 at 0:25


















  • From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
    – miken32
    Nov 23 '18 at 23:01










  • stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
    – Eric Richer
    Nov 26 '18 at 19:55










  • The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
    – miken32
    Nov 26 '18 at 20:35










  • The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
    – Eric Richer
    Nov 27 '18 at 0:23










  • The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
    – miken32
    Nov 27 '18 at 0:25
















From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 '18 at 23:01




From the documentation: "Returns TRUE on success, FALSE if negotiation has failed or 0 if there isn't enough data and you should try again (only for non-blocking sockets)." So if it's actually returning false, likely there's a mismatch between the methods supported by your server and those supported by PHP.
– miken32
Nov 23 '18 at 23:01












stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 '18 at 19:55




stream_socket_enable_crypto() returns false. So far, I think the certificate used by the socket when enabling encryption is rejected by the remote. Like I mentioned, I am using a certificate generated by a self-signed CA on my dev machine where the PHP script is running. Using a virtual host on Apache to run the PHP script and the vhost uses that development certificate. How do I figure out which certificate my script is using? The one associated with the vhost? Or is it another default certificate?
– Eric Richer
Nov 26 '18 at 19:55












The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
– miken32
Nov 26 '18 at 20:35




The certificate used by your web server has nothing to do with how PHP connects to other servers. If your mail server is using a self-signed certificate, you'll want to use stream_socket_context_create() to set the options to ensure that PHP recognizes that certificate.
– miken32
Nov 26 '18 at 20:35












The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 '18 at 0:23




The mail server is using a valid certificate issued by GoDaddy. My server where the PHP code is running, uses a certificate issue by a self-signed CA (that I created for dev purposes). Not very proficient in SSL/TLS so I am not sure yet which sides refuses to start encryption and logs on the mail server (Postfix/Dovecot) are pretty cryptic.
– Eric Richer
Nov 27 '18 at 0:23












The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 '18 at 0:25




The certificate used by your web server is for talking to web browsers, not making network connections. If your mail server cert is trusted already, I'd go back to my original statement about mismatched encryption algorithms.
– miken32
Nov 27 '18 at 0:25












1 Answer
1






active

oldest

votes


















1














After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.



     openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt


The php.ini file has the following comment concerning openssl.capath:



     ; If openssl.cafile is not specified or if the CA file is not found, the
; directory pointed to by openssl.capath is searched for a suitable
; certificate. This value must be a correctly hashed certificate directory.
; Most users should not specify a value for this directive as PHP will
; attempt to use the OS-managed cert stores in its absence. If specified,
; this value may still be overridden on a per-stream basis via the "capath"
; SSL stream context option.


By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.






share|improve this answer





















    Your Answer






    StackExchange.ifUsing("editor", function () {
    StackExchange.using("externalEditor", function () {
    StackExchange.using("snippets", function () {
    StackExchange.snippets.init();
    });
    });
    }, "code-snippets");

    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "1"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437771%2freasons-why-php-stream-socket-enable-crypto-returns-false%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.



         openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt


    The php.ini file has the following comment concerning openssl.capath:



         ; If openssl.cafile is not specified or if the CA file is not found, the
    ; directory pointed to by openssl.capath is searched for a suitable
    ; certificate. This value must be a correctly hashed certificate directory.
    ; Most users should not specify a value for this directive as PHP will
    ; attempt to use the OS-managed cert stores in its absence. If specified,
    ; this value may still be overridden on a per-stream basis via the "capath"
    ; SSL stream context option.


    By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.






    share|improve this answer


























      1














      After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.



           openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt


      The php.ini file has the following comment concerning openssl.capath:



           ; If openssl.cafile is not specified or if the CA file is not found, the
      ; directory pointed to by openssl.capath is searched for a suitable
      ; certificate. This value must be a correctly hashed certificate directory.
      ; Most users should not specify a value for this directive as PHP will
      ; attempt to use the OS-managed cert stores in its absence. If specified,
      ; this value may still be overridden on a per-stream basis via the "capath"
      ; SSL stream context option.


      By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.






      share|improve this answer
























        1












        1








        1






        After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.



             openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt


        The php.ini file has the following comment concerning openssl.capath:



             ; If openssl.cafile is not specified or if the CA file is not found, the
        ; directory pointed to by openssl.capath is searched for a suitable
        ; certificate. This value must be a correctly hashed certificate directory.
        ; Most users should not specify a value for this directive as PHP will
        ; attempt to use the OS-managed cert stores in its absence. If specified,
        ; this value may still be overridden on a per-stream basis via the "capath"
        ; SSL stream context option.


        By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.






        share|improve this answer












        After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.



             openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt


        The php.ini file has the following comment concerning openssl.capath:



             ; If openssl.cafile is not specified or if the CA file is not found, the
        ; directory pointed to by openssl.capath is searched for a suitable
        ; certificate. This value must be a correctly hashed certificate directory.
        ; Most users should not specify a value for this directive as PHP will
        ; attempt to use the OS-managed cert stores in its absence. If specified,
        ; this value may still be overridden on a per-stream basis via the "capath"
        ; SSL stream context option.


        By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 27 '18 at 14:26









        Eric Richer

        357




        357






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Stack Overflow!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53437771%2freasons-why-php-stream-socket-enable-crypto-returns-false%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Berounka

            Sphinx de Gizeh

            Different font size/position of beamer's navigation symbols template's content depending on regular/plain...