Documentation improvement: How to use Certainty Library with PHPMailer

[PhilippGrashoff]

Hi there,
after spending quite some time figuring why Email sending with a certain smtp server does not work, I found its an SSL issue.

Most widely on the web the found solution is to unset some ssl checks:

$mail->SMTPOptions = array(
    'ssl' => array(
        'verify_peer' => false,
        'verify_peer_name' => false,
        'allow_self_signed' => true
    )
);

However, the Wiki states that his is not recommended as it defeats much of the point of using a secure transport at all.

Some lines above, it is mentioned that using the package Certainty is highly recommended:

A highly recommended alternative is to use the Certainty package which ensures that you always have the latest CA cert bundle.

This, as being novice to this topic, raises some questions:

1. Do I just have to install this package, and thats it?
2. If I do need to do something additional for making this work with PHPMailer, at least some hints on what to do

It would be great if this part of the Wiki was a little more informative.
Thanks!

[Synchro]

Disabling verification is indeed a bad idea. Gmail is the primary driver for people doing that - a few years ago they changed their certificates to one that was signed by a relatively new CA, and this resulted in lots of verification failures for people using outdated servers - updating the CA bundle is an appropriate solution for that.

Certainty is completely separate from PHPMailer and may affect things beyond PHPMailer (because it alters PHP's overall config), so the best approach is to read certainty's own docs for how to set it up.

Also note that the wiki is publicly editable - if you find something particularly useful, you can add it yourself; that's how open source works.

[andrei-dascalu]

Is this something still debated? I ran into this thread by accident via the Hacktoberfest label (since it's that time of the year again).

I'm not sure this is something that should concern PHPMailer at all. Certainty can be used to manage either the system CA bundle (in which case you need to ensure that the PHP binary has the required system access) OR to maintain a separate CA bundle for a given purpose (in this case ensure verification is possible when PHPMailer makes a connection via TLS/SSL).

The first option doesn't sound great, the system CA should be managed by the system configuration, definitely not PHPMailer's responsibility.

The second is a bit weird as we can look at https://paragonie.com/blog/2017/10/certainty-automated-cacert-pem-management-for-php-software (the initial example of use, still valid). Basically whenever you're about to make a SSL connection, you add a call to the library which will update the certificates at a given location. That's overhead, of course. This could be made optional (certainty itself has a pretty wide range of compatibility).

[Synchro]

Oh I know it's not PHPMailer's responsibility, however, people run into it when they use PHPMailer and end up here asking how to fix it. It's obviously not PHPMailer's job to document how other packages work, but that doesn't preclude giving some pointers. One key advantage of certainty over system packages is that it's entirely under developer control; a broken PHP config can't be fixed by someone on shared hosting, but a PHP package can (otherwise they wouldn't be able to use PHPMailer either). Unfortunately people run code on badly configured systems all the time, and I'd really prefer not to be the one that has to tell them how to fix it every time!

[mukul-kr]

hello, is this issue still relevant?
If yes then where do I have to document this???

[Synchro]

Probably best in the wiki, though if you're on the lookout for Hacktoberfest points, I'm, not sure that wiki edits are counted towards that. If you do it and then open an issue, I'll accept it so you can get the points.