Unable to establish TLS connection in PHP via fsockopen

Question

I'm trying since a couple of days to establish a TLS connection to a SMTP server in PHP via fsockopen() on my newly installed Ubuntu server. I#ve tried almost everything and googled for hours but still I didn't get it working.

The PHP code looks as follows:

$fp = fsockopen("tls://smtp.xxxx.com", 25, $errno, $errstr, 30);
if (!$fp) {
    echo "$errstr ($errno)<br />\n";
} else {
 // some other stuff
}  

The output is just (0), i.e., $errstr = null and $errno = 0.

OpenSSL is installed and enabled:

OpenSSL support: enabled
OpenSSL Library Version: OpenSSL 0.9.8o 01 Jun 2010
OpenSSL Header Version: OpenSSL 0.9.8o 01 Jun 2010

and the following stream socket transports are registered: tcp, udp, unix, udg, ssl, sslv3, sslv2, tls.

The port is open as a telnet from the console works.

Any ideas what's wrong or how I could at least get some more debug output?

Thanks, Markus

Answer 1

With gmail, the ssl connection port had ssl from the get-go, but the tls port, you connected plain, and had to start tls manually with a STARTTLS command. I'm guessing this is the same. Here's and example to gmail so you can see what's going on. The EHLO command shows the STARTTLS command while if you start with ssl from the begining, it goes strait to the AUTH XOAUTH command list.

<?php
function get($socket,$length=1024){
    $send = '';
    $sr = fgets($socket,$length);
    while( $sr ){
        $send .= $sr;
        if( $sr[3] != '-' ){ break; }
        $sr = fgets($socket,$length);
    }
    return $send;
}
function put($socket,$cmd,$length=1024){
    fputs($socket,$cmd."\r\n",$length);
}
if (!($smtp = fsockopen("smtp.gmail.com", 587, $errno, $errstr, 15))) {
    die("Unable to connect");
}
echo "<pre>\n";
echo get($smtp); // should return a 220 if you want to check

$cmd = "EHLO ${_SERVER['HTTP_HOST']}";
echo $cmd."\r\n";
put($smtp,$cmd);
echo get($smtp); // 250

$cmd = "STARTTLS";
echo $cmd."\r\n";
put($smtp,$cmd);
echo get($smtp); // 220
if(false == stream_socket_enable_crypto($smtp, true, STREAM_CRYPTO_METHOD_TLS_CLIENT)){
    // fclose($smtp); // unsure if you need to close as I haven't run into a security fail at this point
    die("unable to start tls encryption");
}

$cmd = "EHLO ".$_SERVER['HTTP_HOST'];
echo $cmd;
put($smtp,$cmd);
echo get($smtp); // 250

$cmd = "QUIT";
echo $cmd."\r\n";
put($smtp,$cmd);
echo get($smtp);

echo "</pre>";

fclose($smtp);

Answer 2

If it works from the command line but not from within Apache then there is probably some difference between the PHP configuration: do a diff between /etc/php/apache2/php.ini and /etc/php/cli/php.ini and see what might have changed.

Answer 3

Your connection doesn't make much sense. By using the TLS handler, you want TLS to be established BEFORE any data goes. But port 25 is standard SMTP, which can only establish TLS AFTER you've initially connected via an unencrypted regular connection. Once that initial connection is established, then you can enable TLS with the STARTTLS command to tell the SMTP server to switch over.

If you want TLS from the get-go, then use port 465, which is ssl/tls from the start.