Error with stream_socket_enable_crypto()

[NotionCommotion]

I recently upgraded from PHP5.5 to PHP5.6.  I just noticed that PHPMailer is no longer working, and I get the following error:

An error occurred in script '/var/www/application/classes_3rd/PHPMailer/class.smtp.php' on line 344: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages:  error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (error no: 2).

According to https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting:

 

PHP 5.6 certificate verification failure

In a change from earlier versions, PHP 5.6 verifies certificates on SSL connections. If the SSL config of the server you are connecting to is not correct, you will get an error like this:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

The correct fix for this is to replace the invalid, misconfigured or self-signed certificate with a good one. Failing that, you can allow insecure connections via the SMTPOptions property introduced in PHPMailer 5.2.10 (it's possible to do this by subclassing the SMTP class in earlier versions), though this is not recommended:

$mail->SMTPOptions = array(
'ssl' => array(
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true
)
);

You can also change these settings globally in your php.ini, but that's a really bad idea; PHP 5.6 made this change for very good reasons.

Sometimes this behaviour is not quite so apparent; sometimes encryption failures may appear as the client issuing a QUIT immediately after trying to do a STARTTLS. If you see that happen, you should check the state of your certificates or verification settings.

 

 

I have made the hack fix and it works, however, I would like to do it right and make sure SSL is configured correctly. When testing my URI on https://www.sslshopper.com/ssl-checker.html, it shows all green.  Don't know if it matters, but I have a wildcard certificate (i.e. variable.fixed.example.com for any "variable").  My PHPMailer version is 5.2.12.

variable.fixed.example.com resolves to 123.456.789.123
  
Server Type: Apache/2.2.15 (CentOS)
  
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
  
The certificate was issued by StartCom. 
Write review of StartCom
  
The certificate will expire in 148 days. 
  
The hostname (variable.fixed.example.com) is correctly listed in the certificate.


Common name: fixed.example.com
SANs: fixed.example.com, example.com, *.fixed.example.com
Organization: Michael Reed
Location: Bothell, Washington, US
Valid from February 1, 2015 to February 1, 2017
Serial Number: xxx(0xxxx)
Signature Algorithm: sha256WithRSAEncryption
Issuer: StartCom Class 2 Primary Intermediate Server CA


Common name: StartCom Class 2 Primary Intermediate Server CA
Organization: StartCom Ltd.
Location: IL
Valid from October 24, 2007 to October 24, 2017
Serial Number: 27 (0x1b)
Signature Algorithm: sha256WithRSAEncryption
Issuer: StartCom Certification Authority

Any recommendations?  Thank you

Edited September 6, 2016 by NotionCommotion

[kicken]

That site only checks your HTTP setup. PHPMailer is concerned with your SMTP setup, which generally just comes pre-configured with a self-signed certificate which will fail verifications due to it not being from a trusted source.

 

What you need to do is configure your mail server software to use a certificate from a trusted authority. The certificate's host name needs to match that of your mail server's name. So if your mail server is mail.example.com you need a certificate for mail.example.com