Issue
A PHP application is suddenly failing to connect to imap.gmail.com (or another IMAP server), and now throws an error like the following:
PHP Warning: imap_open(): Couldn't open stream {imap.gmail.com:993/imap/ssl}INBOX in Command line code on line 1
PHP Notice: Unknown: Certificate failure for imap.gmail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid (errflg=2) in Unknown on line 0
This problem is occurring on the heroku-18 stack after a recent update to the stack image as announced on the Heroku Changelog.
Resolution
This issue is caused by your application now being capable of negotiating a TLSv1.3 connection with the server after an update of the OpenSSL library on the system to version 1.1.1.
The version of PHP you are using is not sending Server Name Indication (SNI) during a TLS handshake, and the server you're trying to connect to has chosen to reject such attempts by returning an invalid self-signed SSL certificate.
You must update your application's version of PHP to
- 7.1.31 or later (when using PHP 7.1), or
- 7.2.21 or later (when using PHP 7.2), or
- 7.3.8 or later (when using PHP 7.3),
all of which are compiled against newer library versions that fix this incompatibility with the TLSv1.3 specification.
In order to perform an update, you can usually simply re-deploy an empty commit, assuming you are specifying a runtime version using the recommended ^ or ~ version selection operators in your composer.json, as Heroku will then automatically pick the newest allowed release:
$ git commit --allow-empty -m "redeploy to Heroku"
$ git push heroku master