Reasons why PHP stream_socket_enable_crypto() returns FALSE?

◇◆丶佛笑我妖孽 提交于 2021-02-10 18:41:01

问题


I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.

I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.

I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.

Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.

It's not an authentication issue since I do get path enabling TLS on the socket.

Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?

EDIT:

If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.

Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.


回答1:


After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.

     openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt

The php.ini file has the following comment concerning openssl.capath:

     ; If openssl.cafile is not specified or if the CA file is not found, the
     ; directory pointed to by openssl.capath is searched for a suitable
     ; certificate. This value must be a correctly hashed certificate directory.
     ; Most users should not specify a value for this directive as PHP will
     ; attempt to use the OS-managed cert stores in its absence. If specified,
     ; this value may still be overridden on a per-stream basis via the "capath"
     ; SSL stream context option.

By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.



来源:https://stackoverflow.com/questions/53437771/reasons-why-php-stream-socket-enable-crypto-returns-false

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!