RT 4.0.2 SSL Email Verification Failed

Hello,

I was testing RT with a self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:

(temporary failure. Command output: An Error Occurred =================
500 Can’t connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )

No errors in other log files, like syslog or rt.log. The queues were not
receiving mails.

I installed all PERL dependencies to SSL, as described here
http://www.gossamer-threads.com/lists/rt/users/71129 :

Pod::Usage, HTML::TreeBuilder, Getopt::Long, HTML::FormatText,
LWP::UserAgent

And

Crypt::SSLeay, LWP::Protocol::https

As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocol
https.html I made and applied a patch against file

Rt-mailgate, around line 151:

  • my $ua = LWP::UserAgent->new();
  • my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });

Patch link here: http://pastebin.com/DQCH3R8L

Now perl don’t check the certificate, and the queues receive all
messages.

My question: Is this the correct approach for that?

Luciano Silva

I was testing RT with a self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:

(temporary failure. Command output: An Error Occurred =================
500 Can’t connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )

[snip]

As described here
Now you need LWP::Protocol::https | brian d foy [blogs.perl.org]
I made and applied a patch against file

Rt-mailgate, around line 151:

  • my $ua = LWP::UserAgent->new();
  • my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });

Patch link here: Patch for corret Request Tracker SSL verification on Postfix - Pastebin.com

Now perl don’t check the certificate, and the queues receive all messages.

My question: Is this the correct approach for that?

No, this is wrong from a security standpoint, although it works since
you’re ignoring the cert data. You’ll be vulnerable to a MITM attack.
You should instead take the advice of the second half of brian’s blog
post and tell LWP::UserAgent about your root CA or install the root CA
into your operating system’s list of trusted CAs (which means you don’t
have to patch rt-mailgate).

Thomas

Thomas,

I made a motification for LWP User Agent in line 151(rt-mailgate), and seems to work ok.

151 my $ua = LWP::UserAgent->new(ssl_opts => {SSL_ca_file => ‘/etc/ssl/certs/mycert.crt’});
152 # my $ua = LWP::UserAgent->new();

Ok?

Luciano

-----Mensagem original-----De: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] Em nome de Thomas Sibley
Enviada em: segunda-feira, 17 de outubro de 2011 13:55
Para: rt-users@lists.bestpractical.com
Assunto: Re: [rt-users] RT 4.0.2 SSL Email Verification Failed

I was testing RT with a self-signed certificate(SSL), I send a email
to queue, but in /var/log/mail I got this:

(temporary failure. Command output: An Error Occurred

500 Can’t connect to rt4.myurl.com :443 (certificate verify failed)
)

[snip]

As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotoc
olhttps.html I made and applied a patch against file

Rt-mailgate, around line 151:

  • my $ua = LWP::UserAgent->new();
  • my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });

Patch link here: Patch for corret Request Tracker SSL verification on Postfix - Pastebin.com

Now perl don’t check the certificate, and the queues receive all messages.

My question: Is this the correct approach for that?

No, this is wrong from a security standpoint, although it works since you’re ignoring the cert data. You’ll be vulnerable to a MITM attack.
You should instead take the advice of the second half of brian’s blog post and tell LWP::UserAgent about your root CA or install the root CA into your operating system’s list of trusted CAs (which means you don’t have to patch rt-mailgate).

Thomas
RT Training Sessions (http://bestpractical.com/services/training.html)

  • San Francisco, CA, USA October 18 & 19, 2011
  • Washington DC, USA October 31 & November 1, 2011
  • Barcelona, Spain November 28 & 29, 2011