These were the cURL options I used:

It worked great on my web host, but on my local machine I could not get any response. I just got an error saying something about the certificate failing to be verified or something like that (don’t remember the exact message). After some research I found out the problem.

Since we are using the HTTPS protocol here we need to somehow verify the one we are talking to. Your browser does this by checking their certificate against several built-in certificates from trusted certificate suppliers, like for example Verisign. cURL does this verification automatically as well, except on my local machine it didn’t have any certificates to check against! Not sure why… but it didn’t. So, I had to find a collection of certificates on my own and tell cURL to use that instead of the non-existing one.

I found a collection like that at curl.haxx.se/docs/caextract.html, a so called CA bundle. Think that’s the one used by Mozilla based browsers, like FireFox, or something like that. Just download that file and stick it somewhere your PHP script can access it. Then we need to tell cURL to use it by adding two cURL options.

Voila!

That was pretty simple, wasn’t it? But what if we need to authenticate with our server? And what if we want to send our message in a more secure manner?

Authentication

You will quite often find that an SMTP server requires you to authenticate yourself before it will let you do anything. This is however very simple to do. All we need, is to provide our credentials to the client:

Now, when you try to send your message like before, it should be sent without problems But what if you want to send your email securely?

Using SSL to encrypt the connection

To send emails through an encrypted connection, all you have to do is to set the EnableSSL property of the SmtpClient to true:

When you now try to send your email, it will use the Secure Socket Layer to encrypt the connection. Like me, you might run into a problem though; an AuthenticationException with the following message: The remote certificate is invalid according to the validation procedure.

Imperfect certificates

After reading about how these certificates work and some more digging around I found out that the certificate of the SMTP server I use is considered invalid for two reasons: Firstly it was not issued by a trusted Certification Authority (like VeriSign or Thawte), but by my host (Dreamhost themselves. And finally there is a mismatch between the domain I’m connecting to (smtp.example.com) and the domain the certificate was issued to (mail.dreamhost.com).

Manual certificate validation

SSL has two purposes: security and authentication. And the security will actually work fine and all the traffic will be encrypted even if the authentication fails. In other words, as long as we can look at the certificate ourselves and be sure that we thrust it, we can go ahead and continue with our work.

To check the certificate ourselves we can provide a RemoteCertificate­ValidationCallback delegate to a class called the ServicePoint­Manager.

But how can we decide if we should trust the certificate or not? Well, I have found three ways that works nicely. Well, actually just two since the first is just to cover your eyes and let anything pass…

Pretend validation

The following implementation is a way to simply say that I don’t care:

This is of course not very good… we should at least make some effort and check if the certificate is the one we should be getting. We can for example…

Check the certificate fingerprint

Certificates have something called a fingerprint and if we know the fingerprint of the certificate we should get, then we can compare it with the fingerprint of the one we actually got.

If you don’t think this is enough, you can for example…

Check the whole certificate

If you can export the certificate to a file somehow, you can then later compare the certificate you get with the one you have stored and make sure they are equal.

I got a hold of the certificate file by sticking the following snippet inside my validation delegate, ran my code once, and then changed it back to normal again:

I also successfully exported it from Opera, which I use as an email client, by going to Preferences, Security, Manage Certificates, Approved and then export the one I want. This of course assumes you have have previously approved the certificate for use with Opera.

Wrap-up

That’s all for now! Found it kind of fun to get this working and thought I could share it in case someone else struggles with this. Please comment and let me know if I have misunderstood something or done a big blunder or something like that! I mostly just know that my code is working, so if you know more about how these security issues work and you know something you think i should know as well: Please share! I’d like to learn

Here is my final, complete code: