CA Client Certificates and RT 3.0.2?

Hi all,

I am having a bit of fun configuring RT. We use a client side
certificate on the web browsers to provide additional security
for accessing the RT site. That all works fine for providing
web access…

The problem is when an email is sent to a queue…

Lets say an email is sent to the ‘foo’ queue. Its intercepted
by rt-mailgate, which creates an LWP object and fobs it off
to the webserver. And boom. Webserver rejects the connection as
it doesn’t have a valid user certificate. LWP doesn’t appear
to support client certificates, so I don’t think I can graft it
on (though if someone can point me in the direction of support
for this, I’d be grateful)

Has anyone had a situation like this? If so, what did you do
to get around it? Is there a way to get rt-mailgate to go via
a programming interface, rather than doing a https request?
I guess its possible to have it avoid requiring a certificate
for specific locations by configuring Apache, but that defeats
the purpose of having the darn things :wink:

thanks in advance… :wink:

Greg

LWP doesn’t appear
to support client certificates, so I don’t think I can graft it
on (though if someone can point me in the direction of support
for this, I’d be grateful)

LWP uses Crypt::SSLeay by default. There you can set the paths to the
client certificate using environment variables.

$ENV{‘HTTPS_KEY_FILE’}=’/foo/key.pem’;
$ENV{‘HTTPS_CERT_FILE’}=’/foo/cert.pem’;

If for some reason your perl program has loaded IO::Socket::SSL this
doesn’t work as LWP switches to a different SSL implementation. But
then you can poke the LWP module a little bit:

use IO::Socket::SSL;
use LWP::Protocol::http;
@LWP::Protocol::http::EXTRA_SOCK_OPTS = (
‘SSL_key_file’ => ‘/foo/key.pem’,
‘SSL_cert_file’ => ‘/foo/cert.pem’
);

Greetings,
,eM""=. a"-. Michael van Elst
dWWMWM" - :GM==; mlelstv@dev.de.cw.net
:WWMWMw=–. “W=’ cable & wireless
9WWMm==-.
”-Wmw-" CABLE & WIRELESS

“GB” == Greg Boug gboug@unico.com.au writes:

GB> Lets say an email is sent to the ‘foo’ queue. Its intercepted
GB> by rt-mailgate, which creates an LWP object and fobs it off
GB> to the webserver. And boom. Webserver rejects the connection as

The mailgate uses the NoAuth subsection of the URL space for RT, so
just don’t force that part of the site to be authenticated by your
client certs.

“Greg Boug” gboug@unico.com.au writes:

I am having a bit of fun configuring RT. We use a client side
certificate on the web browsers to provide additional security
for accessing the RT site. That all works fine for providing
web access…

The problem is when an email is sent to a queue…

We use NIS-backed password authentication, but the same basic
concept. RT_SiteConfig.pm has Set($WebExternalAuth, 1);, and Apache
hands RT a username via the REMOTE_USER environment variable. On the
non-SSL side, we arrange to lie to RT: we have a non-privileged user
named ‘guest’, and REMOTE_USER is blindly set to this. rt-mailgate
can then freely connect to the non-SSL side and feed in data that
way. (I haven’t gotten around to putting up interesting content in
the NoAuth directory, still.)

Our httpd.conf says:

SetEnv REMOTE_USER guest SSLRequireSSL AuthType basic PerlAuthenHandler Apache::AuthenNIS Require valid-user

David Maze dmaze@mit.edu http://www.mit.edu/~dmaze/
“Theoretical politics is interesting. Politicking should be illegal.”
– Abra Mitchell

David,

I’m curious, how did you get RT to run off a second virtual
server. I’ve tried that and failed. The problem being the
webmux.pl script can’t be loaded into mod_perl more than once…

Greg

“Greg Boug” gboug@unico.com.au writes:

I’m curious, how did you get RT to run off a second virtual
server. I’ve tried that and failed. The problem being the
webmux.pl script can’t be loaded into mod_perl more than once…

The RT setup is outside of any VirtualHost section, so it applies to
all VirtualHosts. So, in addition to what’s quoted below, we have

Alias /rt/ "/home/rt/share/html/"
PerlModule Apache::DBI
PerlRequire /home/rt/bin/webmux.pl
<Location /rt>
Options Indexes FollowSymLinks
SetHandler perl-script
PerlHandler RT::Mason

which applies to both the SSL and non-SSL sides, and then the below
that performs NIS-backed authentication on the SSL side, and uses the
’guest’ user on the non-SSL side.

Our httpd.conf says:

SetEnv REMOTE_USER guest SSLRequireSSL AuthType basic PerlAuthenHandler Apache::AuthenNIS Require valid-user

David Z. Maze dmaze@cag.lcs.mit.edu
Research Scientist http://www.mit.edu/~dmaze/
MIT LCS Computer Architecture Group http://www.cag.lcs.mit.edu/commit/