Self signed certificates create problems on NGinx/PHP

Question

I just upgraded my Debian 7, Nginx 1.6.2, PHP 5.4.39 to Debian 8, Nginx 1.6.2, PHP 5.6.9.
There is a CRM running on that server where we used to send emails via PHP, EspoCRM and that's using ZendFramwork2 E-Mail (sending via server 2 - sending via Thunderbird works just fine).
That was working just fine until after the upgrade. Now I've got an error saying:

500 unable to connect via tls

So a bit searching didn't bring anything up with the CRM but rather points to the self signed certificate and/or something at the stack above (NGinx/PHP?).
Any idea where to start digging? In my CRM server I don't have anything in the error logs (guess that is swallowed by the CRM).
I don't see anything in the syslog or authlog of the maiml server either.

EDIT: Add info:
phpinfo ()

Registered Stream Socket Transports tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2
curl   
SSL     Yes
SSL Version     OpenSSL/1.0.1k  
imap 
SSL Support     enabled  
openssl
OpenSSL support     enabled OpenSSL  
Library Version     OpenSSL 1.0.1k 8 Jan 2015 OpenSSL Header Version  
OpenSSL 1.0.1k 8 Jan 2015  Directive    Local Value Master Value  
openssl.cafile  no value    no value openssl.capath no value    no value     
Phar  
OpenSSL support     enabled

I used the old config file from Debian 7 (NGinx is the same version - I used a backport on D7).

Servers and Software:
Server A: Mailserver, Debian 6, Postfix, selfsigned certificates
Server B: Debian 8, Nginx, PHP, EspoCRM - I've choosen TLS since it's working in my Thunderbird on my local PC and it was working before the Debian 7 to 8 upgrade.
Local PC: Kubuntu, Thunderbird, Mails can be sent and received via TLS.

Looks like Nginx is enforcing tls protocols. Can you post the ssl configuration parts of your nginx configs — Drifter104, Jun 17 '15 at 11:32
I don't understand which program connects to which service via a certain protocol. — sebix, Jun 17 '15 at 13:10
@Drifter104 are the phpinfo outputs sufficient or do you need other information from other parts/config files? (just added more info to the question) — Chris, Jun 17 '15 at 13:38

score 0 · Answer 1 · answered Nov 18 '16 at 18:15

As I understand it, PHP 5.6 does not allow accept validate or process self-signed certs.

http://php.net/manual/en/migration56.openssl.php

You have to disable the verifying of peer and peer names

$streamContext = stream_context_create([
            'ssl' => [
                'verify_peer'      => false,
                'verify_peer_name' => false
            ]
        ]);

This is non-trivial if trying to do it within a package (which seems to be by-design), you cannot just set some flags in php.ini or anything simple like that.

In the context you refer to it never has. – symcbean Nov 18 '16 at 19:32 — symcbean, Nov 18 '16 at 19:32

score 0 · Answer 2 · answered Nov 18 '16 at 19:48

500 unable to connect via tls

That's not very helpful in identifying where the problem is - but it must be somewhere in the code which presumably you don't maintain, therefore amending the code to make it work should be a last resort.

It would be useful to know what action triggers this error.

Since the only place in your manifest that mentions a self-signed certificate is the mail server, then I will assume that is what is causing the problem here.

All you need to do is add the self-signed certificate to the accepted authorities on the host where the application resides. Assuming (again) that the MTA is using SMTPS:

openssl s_client -showcerts -connect servera.example.com:465 </dev/null

Will give you the certificate chain. Copy the output into (say) /etc/ssl/certs/lbutlr_local.crt then run update-ca-certificates

Self signed certificates create problems on NGinx/PHP

2 Answers2