PHP stream_socket_enable_crypto() 返回 FALSE 的原因? [英] Reasons why PHP stream_socket_enable_crypto() returns FALSE?

问题描述

我正在设置 ZF3 SMTP 邮件传输，以将消息发送到我自己的电子邮件服务器，我使用 PostFix 和 Dovecot 设置了该服务器.

I am setting up a ZF3 SMTP Mail transport to send messages to my own email server which I have set up using PostFix and Dovecot.

当 stream_socket_enable_crypto() 尝试启用 TLS 时，我不断收到 'Unable to connect via TLS' 错误.

I keep getting the 'Unable to connect via TLS' error which occurs when the stream_socket_enable_crypto() tries to enable TLS.

我尝试使用 TLS 使用另一个电子邮件服务器(我的 ISP 的电子邮件服务器)并且它工作正常，所以它不是我的代码本身.

I tried with another email server (my ISP's email server) using TLS and it worked so it is not my code itself.

因为我已经能够将 Outlook 连接到我的电子邮件服务器，所以我知道到我的服务器的 smtp:587 连接有效并且身份验证也有效.

Since I have been able to connect Outlook to my email server, I know that the connection to smtp:587 to my server works and that authentication also works.

这不是身份验证问题，因为我确实在套接字上获得了启用 TLS 的路径.

It's not an authentication issue since I do get path enabling TLS on the socket.

有人对问题出在哪里有任何建议吗?或者列出要检查的事项以隔离问题?

Does anyone have any suggestions of where the problem lies? Or a list of things to check to isolate the issue?

如果此附加信息有帮助，我将在我的开发机器上使用自签名 CA 证书.准确地说，我从 Apache 运行 PHP，它使用从自签名 CA 生成的证书.

If this additional info can help, I am using a self-signed CA certificate on my development machine. To be precise, I am running PHP from Apache which uses a certificate that was generated from a self-signed CA.

查看 postfix/submission 的日志，我似乎收到了未知 CA"错误.试图将我的自签名 CA 添加到我服务器上的 CA 列表中，但这似乎并没有解决问题.

Looking at the logs from postfix/submission, I seem to be getting an 'unkown CA' error. Tried to add my self-signed CA to the list of CA on my server but this does not seem to fix the issue.

推荐答案

经过多次调查，我发现我本地机器上的 PHP 没有正确设置来验证受信任的 CA.我正在运行 Bitnami 的堆栈，并且 PHP 被设置为使用 PHP 安装目录中的本地 CA 包.这是由 php.ini 中的 openssl.capath= 指令设置的.

After several investigations, it turns out that PHP on my local machine was not setup properly to validate trusted CAs. I am running Bitnami's stack and PHP was setup to use a local CA bundle in the PHP installation directory. This is set by the openssl.capath= directive in php.ini.

     openssl.capath=c:/bitnami/wampstack-5.6.34-0/php/curl-ca-bundle.crt

php.ini 文件有以下关于 openssl.capath 的注释:

The php.ini file has the following comment concerning openssl.capath:

     ; If openssl.cafile is not specified or if the CA file is not found, the
     ; directory pointed to by openssl.capath is searched for a suitable
     ; certificate. This value must be a correctly hashed certificate directory.
     ; Most users should not specify a value for this directive as PHP will
     ; attempt to use the OS-managed cert stores in its absence. If specified,
     ; this value may still be overridden on a per-stream basis via the "capath"
     ; SSL stream context option.

通过注释掉 openssl.capath 指令，PHP 能够使用 Window 的证书存储并找到与邮件服务器使用的证书关联的 CA.

By commenting out the openssl.capath directive, PHP was able to use Window's cert store and find the CA associated with the cert used by the mail server.

这篇关于PHP stream_socket_enable_crypto() 返回 FALSE 的原因?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！