PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected

Question 1

I am using PHPMailer on PHP 5.6, the increased security around certificated in PHP 5.6 is certainly fun.

I am trying to send a test message to a domain hosted on dreamhost, the error that comes back from PHPMailer is: Could not connect to SMTP host.

That error is not right though, I have logging enabled and here is what is actually going on.

Connection: opening to mx1.sub4.homie.mail.dreamhost.com:25, timeout=30, options=array ( ) Connection: opened S: 220 homiemail-mx32.g.dreamhost.com ESMTP

C: EHLO s81a.ikbb.com

S: 250-homiemail-mx32.g.dreamhost.com 250-PIPELINING 250-SIZE 40960000 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250 8BITMIME

C: STARTTLS

S: 220 2.0.0 Ready to start TLS

C: QUIT

S: SMTP ERROR: QUIT command failed: Connection: closed

I could not understand why PHPMailer just gives up, issuing a QUIT command when it should start sending the message. I got another clue from another log:

PHP Warning: stream_socket_enable_crypto(): Peer certificate CN=*.mail.dreamhost.com' did not match expected CN=mx1.sub4.homie.mail.dreamhost.com' in /home/ikbb/domains/dev.ikbb.com/public_html/includes/phpmailer/5.2.10/class.smtp.php

If I use some custom options to prevent validation of the cert they are using I can get it to continue. Here is what I have:

        $mail->SMTPOptions = array (
        'ssl' => array(
            'verify_peer'  => false,
            'verify_peer_name'  => false,
            'allow_self_signed' => true));

If I put the SMTPOptions in there and skip the peer verification, message goes OK - with no warning in PHP at all.

How can I trap that error, so I know there is an issue but still send the message?

Question 2

I had the same problem and I found the answer in the PHPMailer documentation.

PHP 5.6 certificate verification failure

In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.

Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.

Question 3

PHP offers interface to OpenSSL functions. You need to generate a certificate (the keypair can't include user data), and this is a bit more complicated than generating a keypair. You can generate self-signed certificates (in such certificates Issuer and Subject fields are identical), which is probably what you need.

If you need a CA-signed certificate, than you need to generate a certificate signing request (CSR) and a private key, then send a CSR to the certificate authority that will sign it and send you back the certificate (remember that private key remains on your side, so you need to save it).

Also, google search revealed a good tutorial for you.

Question 4

You can compile the openssl extension.

first step : download the php source in the version you are using .

then run command:

tar zxvf php-yourphpversion.tar.gz
cd php-yourphpversion/ext/openssl/

#notice if you have error  "cannot find config.m4" when run phpize , you   
#should   rename the file "config0.m4" to "config.m4" by command
#"mv config0.m4 config.m4"


/usr/local/php/bin/phpize     #here is your php location have install 
                              #in my computer ,the php is location in 
                              # /usr/local/php/ so the phpize is in
                              # /usr/local/php/bin/phpize


                                             #(your php location)/bin/php-config                                        
./configure --with-openssl --with-php-config=/usr/local/php/bin/php-config
make
sudo make install

then the openssl will install and return a path in my computer it return /usr/local/php/lib/php/extensions/debug-zts-20160303/

finally modify php.ini and restart php-fpm :

extension_dir = "the path return after install"   #you should add the return path here
extension=openssl.so

Question 5

Because type of persistent attribute projectNo is Long, type argument when creating ParameterExpression should be Long. And consequently, because type of the ParameterExpression is Long, type of the parameter's value should be Long as well:

//because this persistent Attribute is Long:
private Long projectNo; 

//we use Long here as well
ParameterExpression<Long> pexp = cb.parameter(Long.class, "projectNo");
...
//and finally set parameter. Long again, because that is the type 
// type of ParameterExpression:
query.setParameter("projectNo", Long.valueOf(projectNo));

Question 6

There seems to be something wrong with the SSL certificate.

But the settings is changed in php 5.6 you can fix this by ignoring the verification, or when you have a self signed certificate allow_self_signed can be related.

 stream_context_create($ourStuff, ['verify_peer' => false]);

More information and settings: http://php.net/manual/en/context.ssl.php

Which is referred to from http://php.net/manual/en/function.stream-context-create.php

Note that disabling validation can be a security risk, and should be only done if you know what you are doing.

The default value of verify_peer has been changed to true in newer php versions (>= 5.6). Which means there was always a security risk.

As noted by deceze you should only do this when you are sure all other things are correctly like your own php configuration:

Step 1: test the remote certificate whether it's valid using openssl CLI tool or whatever other methods you prefer. If remote cert is fine.

Step 2: figure out why PHP can't accept it. If it's because PHP has problems validating wildcard certs, see if there's some fix for that. Or if it's because PHP doesn't have a local CA store, which is easy to fix.

Step 3: disable peer verification.

PHPMailer generates PHP Warning: stream_socket_enable_crypto(): Peer certificate did not match expected

Answers

You can compile the openssl extension.

php,ssl,openssl,phpmailer