RHEL 6.5
RT 4.2.6
RT-Authen-ExternalAuth 0.21 with SSL + TLS on.
Using RHEL 6.5 packages, one fails the Net-SSLeay “strict” version
requirement required by RT-Authen-ExternalAuth. RHEL 6.5 comes with a
9th iteration of Net-SSLeay 1.35 (the package name is
perl-Net-SSLeay-1.35-9).
Using CPAN to install a more modern one, 1.65, results in httpd dumping
core at restart time.
Disabling all SSL and TLS for $ExternalSettings in RT_SiteConfig.pm
results in the following “missing host method” error after apparent success:
Aug 1 15:01:38 alms2 RT: [24103]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning Disabled: ,
EmailAddress: jblaine@foo.com, ExternalAuthId: jblaine, Gecos:
Blaine,Charles , Name: jblaine, Privileged: , RealName: Blaine,Charles ,
WorkPhone: 555-555-5555
Aug 1 15:01:38 alms2 RT: [24103] Autocreated external user jblaine ( 22 )
Aug 1 15:01:38 alms2 RT: [24103]
RT::Authen::ExternalAuth::LDAP::GetAuth External Auth OK ( Corp_LDAP ):
jblaine
Aug 1 15:01:39 alms2 RT: [24103]
RT::Authen::ExternalAuth::CanonicalizeUserInfo returning EmailAddress:
jblaine@foo.com, ExternalAuthId: jblaine, Gecos: Blaine,Charles , Name:
jblaine, RealName: Blaine,Charles , WorkPhone: 555-555-5555
Aug 1 15:01:39 alms2 RT: [24103] Successful login for jblaine from
xxx.xx.xx.174
Aug 1 15:01:39 alms2 RT: [24103] Can’t locate object method “host” via
package “URI::_foreign” at /opt/rt4/sbin/…/lib/RT/Interface/Web.pm line
935.#012#012Stack:#012
[/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:935]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:19]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Session:1]#012 [/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:311]#012 [/opt/rt4/share/html/autohandler:53]
Any thoughts would very welcome at this point.
RHEL 6.5
RT 4.2.6
RT-Authen-ExternalAuth 0.21 with SSL + TLS on.
Using RHEL 6.5 packages, one fails the Net-SSLeay “strict” version
requirement required by RT-Authen-ExternalAuth. RHEL 6.5 comes with a
9th iteration of Net-SSLeay 1.35 (the package name is
perl-Net-SSLeay-1.35-9).
I don’t understand what “strict” means.
Using CPAN to install a more modern one, 1.65, results in httpd dumping
core at restart time.
Have a look at other reports of this, which we’ve never been able to
replicate. Alex replied to one just last week, especially relevant if
you’re running mod_perl (which you don’t say).
Disabling all SSL and TLS for $ExternalSettings in RT_SiteConfig.pm
results in the following “missing host method” error after apparent success:
Aug 1 15:01:39 alms2 RT: [24103] Can’t locate object method “host” via
package “URI::_foreign” at /opt/rt4/sbin/…/lib/RT/Interface/Web.pm line
935.#012#012Stack:#012
[/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:935]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:19]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Session:1]#012 [/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:311]#012 [/opt/rt4/share/html/autohandler:53]
Any thoughts would very welcome at this point.
This is RT trying to issue the redirect after login, what URL did you
use to access RT and what was the next parameter.
-kevin
RHEL 6.5
RT 4.2.6
RT-Authen-ExternalAuth 0.21 with SSL + TLS on.
Using RHEL 6.5 packages, one fails the Net-SSLeay “strict” version
requirement required by RT-Authen-ExternalAuth. RHEL 6.5 comes with a
9th iteration of Net-SSLeay 1.35 (the package name is
perl-Net-SSLeay-1.35-9).
I don’t understand what “strict” means.
I just mean that RT-Authen-ExternalAuth is requiring a specific CPAN
version of Net-SSLeay and that RHEL perl-Net-SSLeay-1.35-9 may include
that same “actually required” functionality (given the backporting RH
often does for security fixes, etc).
I am not suggesting with that explanation that RT or the extension
should care or try to cater to various distros’ packaging+patching
workflows. I’m just explaining what I meant by “strict”.
Using CPAN to install a more modern one, 1.65, results in httpd dumping
core at restart time.
Have a look at other reports of this, which we’ve never been able to
replicate. Alex replied to one just last week, especially relevant if
you’re running mod_perl (which you don’t say).
Yes, we’re using RHEL 6.5’s Apache httpd and RHEL 6.5’s mod_perl.
I’ll visit the archives.
Disabling all SSL and TLS for $ExternalSettings in RT_SiteConfig.pm
results in the following “missing host method” error after apparent success:
Aug 1 15:01:39 alms2 RT: [24103] Can’t locate object method “host” via
package “URI::_foreign” at /opt/rt4/sbin/…/lib/RT/Interface/Web.pm line
935.#012#012Stack:#012
[/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:935]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Elements/DoAuth:19]#012
[/opt/rt4/local/plugins/RT-Authen-ExternalAuth/html/Callbacks/ExternalAuth/autohandler/Session:1]#012 [/opt/rt4/sbin/…/lib/RT/Interface/Web.pm:311]#012 [/opt/rt4/share/html/autohandler:53]
Any thoughts would very welcome at this point.
This is RT trying to issue the redirect after login, what URL did you
use to access RT and what was the next parameter.
I’m not sure what you mean by “what was the next parameter”.
The site was accessed (then and just now) directly as https://alms2.foo.com/
The browser just reports the generic “An internal RT error occurred.
Your administrator…” (etc).
Jeff Blaine
kickflop.net
PGP/GnuPG Key ID: 0x0C8EDD02
Using CPAN to install a more modern one, 1.65, results in httpd dumping
core at restart time.
Have a look at other reports of this, which we’ve never been able to
replicate. Alex replied to one just last week, especially relevant if
you’re running mod_perl (which you don’t say).
Retaining use of mod_perl, but disabling mod_ssl and leaving the
RT-Authen-ExternalAuth set to use SSL/TLS worked.
I’m not sure this is a mod_perl issue, for Alex’s and/or Best
Practical’s records.
mod_ssl + mod_perl + RT-Authen-ExternalAuth with SSL all worked in 2012
when I tested it last 
Jeff Blaine
kickflop.net
PGP/GnuPG Key ID: 0x0C8EDD02
Retaining use of mod_perl, but disabling mod_ssl and leaving the
RT-Authen-ExternalAuth set to use SSL/TLS worked.
I’m not sure this is a mod_perl issue, for Alex’s and/or Best
Practical’s records.
mod_ssl + mod_perl + RT-Authen-ExternalAuth with SSL all worked in 2012
when I tested it last
It is triggered by mod_perl, but I agree it is not mod_perl’s fault.
Specifically, I believe it to be caused when two parts of the same
process, both linked to openssl, attempt to use it in orthogonal
operations. mod_perl is not the culprit, but it binds perl into the
same process as Apache, which uses openssl. Hence this causes problems
when perl attempts to use the openssl libraries to talk ldaps://, and
why moving to mod_fastcgi splits the concerns, and resolves the issue.
I suspect using mod_gnutls in Apache would allow it to talk SSL and not
conflict with openssl in the perl process, for instance.
I just mean that RT-Authen-ExternalAuth is requiring a specific CPAN
version of Net-SSLeay and that RHEL perl-Net-SSLeay-1.35-9 may include
that same “actually required” functionality (given the backporting RH
often does for security fixes, etc).
I am not suggesting with that explanation that RT or the extension
should care or try to cater to various distros’ packaging+patching
workflows. I’m just explaining what I meant by “strict”.
I assumed this is what you meant, but I don’t see that:
https://metacpan.org/source/FALCONE/RT-Authen-ExternalAuth-0.21/Makefile.PL#L12
that means ‘any version please, if you answer yes’.
It’s possible that some module we rely on requires a version of
Net::SSLeay but it isn’t us.
As discussed later in the thread, I suspect your issue stems from
mixing ssl libraries, probably from a package upgrade elsewhere on the
system.
-kevin
RHEL 6.5
RT 4.2.6
RT-Authen-ExternalAuth 0.21 with SSL + TLS on.
Using CPAN to install a more modern one, 1.65, results in httpd dumping
core at restart time.
A support customer recently reported this to us, with enough details to
replicate it; I’ve released RT::Authen::ExternalAuth 0.23 which should
address segfaults when run under mod_perl.
The bottom line to the failure is that Plack, the tool that RT uses to
be run identically under mod_perl, fast_cgi, and standalone, hides the
fact that it is running under mod_perl during startup; this is because
some modules act overzealously when they notice. Unfortunately,
Net::SSLeay needs to know if it is running under mod_perl during server
startup, or it fails to acquire the correct locks before initializing
OpenSSL’s global state.
The fix is to not load Net::SSLeay during server startup;
RT::Authen::ExternalAuth 0.23 removes the unnecessary
$ExternalServiceUsesSSLorTLS option which did so. Fixing Plack to not
hide the mod_perl nature of the server is a more complex project which
we’re still investigating, as it will solve the more general case of
this problem.