PHP 5.6.8 cerficate verification failure

Question

Platform: Ubuntu14.04 + xampp 5.5.24 \ 5.6.8 + openssl

Error message while sending an email from phpmailer:

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /opt/lampp/htdocs/Sentrifugo_2.0/install/PHPMailer/class.smtp.php on line 270

on few blogs i have read that we can allow insecure connections via the SMTPOptions and achieve it by subclassing the SMTP class with the following:

$mail->SMTPOptions = array(
'ssl' => array(
    'verify_peer' => false,
    'verify_peer_name' => false,
    'allow_self_signed' => true
)
);

I would really appreciate if anyone can support in confirming where should i be configuring this as i have already searched the class.smtp.php and class.phpmailer.php files but couldnt find verify_peer .

Also, on line 270 i found the following code in class.smtp.php:

/**
 * Initiate a TLS (encrypted) session.
 * @access public
 * @return bool
 */
public function startTLS()
{
    if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
        return false;
    }
    // Begin encrypted connection
    if (!stream_socket_enable_crypto(
        $this->smtp_conn,
        true,
        STREAM_CRYPTO_METHOD_TLS_CLIENT
    )) {
        return false;
    }
    return true;
}

Please suggest - thanks in advance

Answer 1

This is covered in the PHPMailer troubleshooting guide.

You're getting things a bit mixed up. In older versions of PHPMailer, you could only fix this by subclassing to pass in the ssl settings, but now you can do it via the code you posted:

$mail->SMTPOptions = [
    'ssl' => [
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    ]
];

This sets the SMTPOptions property of PHPMailer, which is passed to the stream_socket_client function. There is no verify_peer property in PHPMailer itself - it's a setting within the ssl properties of stream contexts in PHP.

When startTLS() is called, the stream has already had the context attached to it, so when stream_socket_enable_crypto gets called, it will make use of the ssl properties set on the stream when it was created.

Remember that when you choose to go this route of suppressing certificate verification, you are compromising your security.

Answer 2

Warning

Using PHPMailer with two different accounts, on two different domains, both passwords were stolen.

The code

require 'php_libraries/php_mailer/Exception.php';
require 'php_libraries/php_mailer/PHPMailer.php';
require 'php_libraries/php_mailer/SMTP.php';

use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\Exception;

$mail = new PHPMailer;
$mail->isSMTP();
$mail->Host = 'smtp.office365.com';
$mail->Port = 587;
$mail->SMTPSecure = 'tls';
$mail->SMTPAuth = true;
$mail->Username = "[email protected]";
$mail->Password = "password";

//From
$mail->setFrom('[email protected]', 'No Reply');

//To
$mail->addAddress("[email protected]", "user");
$mail->Subject = "Subject";
$mail->addAttachment("C:\\xampp\\htdocs\\oasis\\excelReport\\test.xlsx");
$mail->Body = "body";

$mail->SMTPOptions = array('ssl' => array('verify_peer' => false,'verify_peer_name' => false,'allow_self_signed' => true));

if (!$mail->send())
{
    $result="error";
}
else
{
    $result="ok";
}

echo $result;