SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://



  • Hello!

    On a sg-3100 running 2.4.5.r.20200305.1800

    I started having a problem sending notifications setup via the System -> Advanced -> Notifications tab after updating to the 2.4.5_RC. Notifications worked fine in 2.4.4_p3 using the same smtp server.

    Error is :

    Could not send the message to foo@bar.com -- Error: Failed to connect to ssl://smtp.foo.local:465 [SMTP: Failed to connect socket: stream_socket_client(): unable to connect to ssl://smtp.foo.local:465 (Unknown error) (code: -1, response: )]

    Crash dump:

    [05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
    error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/local/share/pear/Net/Socket.php on line 159
    [05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): Failed to enable crypto in /usr/local/share/pear/Net/Socket.php on line 159
    [05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): unable to connect to ssl://smtp.crownehill.local:465 (Unknown error) in /usr/local/share/pear/Net/Socket.php on line 159

    Setting:

    <sslvalidate>disabled</sslvalidate> in the config

    This problem appears to be similar to this thread :

    https://forum.netgate.com/topic/138289/solved-smtp-notification-error-smtp-failed-to-connect-socket-fsockopen-with-tls-and-private-ca

    Additional net chatter :

    https://stackoverflow.com/questions/45942833/pear-mail-unable-to-connect-to-gmail-smtp-failed-to-connect-to-socket

    Based on what I found, my poke-and-hope fix was to add
    'verify_peer' => false
    to the send_smtp_message socket_options in etc/inc/notices.inc

    This fixes the error in my environment.
    I have no idea if this is a valid solution or if will will break something else.
    I was hoping someone with a better understanding of the pfsense pkg environment and code could weigh in.

    Thanks!

    John



  • Hi,

    What you are saying is that some mail server out there that your are using is breaking the rules.
    Like "asking you to use SSL and propoising invalid certificates". That like visiting a web site with uses expired certs, or a site that uses a revoked cert. You could use internal settings in your browser so it wouldn't mind ...

    As said in https://stackoverflow.com/questions/45942833/pear-mail-unable-to-connect-to-gmail-smtp-failed-to-connect-to-socket, you can check what happens using the command line, and the "openssl client" command :

    openssl s_client -connect smtp.gmail.com:465 -starttls smtp
    

    returns with

    ....
    Verify return code: 0 (ok)
    

    which means : "all is ok, go ahead"

    This :

    997da724-3cc3-40df-9956-3ef9613e18dd-image.png

    works fine for me.
    But take note : I set up may own mail server (postfix). pfSense cans end mails just fine. As Thunderbird, Outlook 2010, Outlook 365, etc, using SSL


Log in to reply