Project

General

Profile

Actions

Bug #10317

closed

SMTP notifications validating SSL when option disabled

Added by John Clark about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Category:
Notifications
Target version:
Start date:
03/05/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

The function send_smtp_message in etc/inc/notices.inc will try to verify the SSL certificate, even though the Validate SSL/TLS option is disabled in System -> Advanced -> Notifications.
This results in the error:

[05-Mar-2020 22:04:06 America/Chicago] PHP Warning: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed in /usr/local/share/pear/Net/Socket.php on line 159

And the notification is not sent.

The default php ssl context options are verify_peer = true and verify_peer_name = true.
When sslvalidate is disabled in the config, the send_smtp_message code only sets verify_peer_name to false. verify_peer is still true.
verify_peer is defined as "Require verification of SSL certificate used"
Adding verify_peer=false to the socket_options when sslvalidate is disabled resolves the error and the notification is sent.

Actions #1

Updated by Viktor Gurov about 2 years ago

  • Category set to Notifications

Correct,
from https://www.php.net/manual/en/context.ssl.php:

verify_peer boolean
Require verification of SSL certificate used.
Defaults to TRUE.

verify_peer_name boolean
Require verification of peer name.
Defaults to TRUE.

Fix:
https://github.com/pfsense/pfsense/pull/4217

Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Pull Request Review
  • Target version set to 2.5.0
Actions #3

Updated by Renato Botelho about 2 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Jim Pingle about 2 years ago

  • Target version changed from 2.5.0 to 2.4.5-p1
Actions #5

Updated by Viktor Gurov almost 2 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.4.5-p1 - no SSL errors if 'Validate SSL/TLS' checkbox is not set

Actions

Also available in: Atom PDF