Hello,
I was testing RT with a self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:
(temporary failure. Command output: An Error Occurred =================
500 Can’t connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )
No errors in other log files, like syslog or rt.log. The queues were not
receiving mails.
I installed all PERL dependencies to SSL, as described here
http://www.gossamer-threads.com/lists/rt/users/71129 :
Pod::Usage, HTML::TreeBuilder, Getopt::Long, HTML::FormatText,
LWP::UserAgent
And
Crypt::SSLeay, LWP::Protocol::https
As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocol
https.html I made and applied a patch against file
Rt-mailgate, around line 151:
- my $ua = LWP::UserAgent->new();
- my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
Patch link here: Patch for corret Request Tracker SSL verification on Postfix - Pastebin.com
Now perl don’t check the certificate, and the queues receive all
messages.
My question: Is this the correct approach for that?
Luciano Silva
I was testing RT with a self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:
(temporary failure. Command output: An Error Occurred =================
500 Can’t connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )
[snip]
As described here
Now you need LWP::Protocol::https | brian d foy [blogs.perl.org]
I made and applied a patch against file
Rt-mailgate, around line 151:
- my $ua = LWP::UserAgent->new();
- my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
Patch link here: Patch for corret Request Tracker SSL verification on Postfix - Pastebin.com
Now perl don’t check the certificate, and the queues receive all messages.
My question: Is this the correct approach for that?
No, this is wrong from a security standpoint, although it works since
you’re ignoring the cert data. You’ll be vulnerable to a MITM attack.
You should instead take the advice of the second half of brian’s blog
post and tell LWP::UserAgent about your root CA or install the root CA
into your operating system’s list of trusted CAs (which means you don’t
have to patch rt-mailgate).
Thomas
Thomas,
I made a motification for LWP User Agent in line 151(rt-mailgate), and seems to work ok.
151 my $ua = LWP::UserAgent->new(ssl_opts => {SSL_ca_file => ‘/etc/ssl/certs/mycert.crt’});
152 # my $ua = LWP::UserAgent->new();
Ok?
Luciano
-----Mensagem original-----De: rt-users-bounces@lists.bestpractical.com [mailto:rt-users-bounces@lists.bestpractical.com] Em nome de Thomas Sibley
Enviada em: segunda-feira, 17 de outubro de 2011 13:55
Para: rt-users@lists.bestpractical.com
Assunto: Re: [rt-users] RT 4.0.2 SSL Email Verification Failed
I was testing RT with a self-signed certificate(SSL), I send a email
to queue, but in /var/log/mail I got this:
(temporary failure. Command output: An Error Occurred
500 Can’t connect to rt4.myurl.com :443 (certificate verify failed)
)
[snip]
As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotoc
olhttps.html I made and applied a patch against file
Rt-mailgate, around line 151:
- my $ua = LWP::UserAgent->new();
- my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
Patch link here: Patch for corret Request Tracker SSL verification on Postfix - Pastebin.com
Now perl don’t check the certificate, and the queues receive all messages.
My question: Is this the correct approach for that?
No, this is wrong from a security standpoint, although it works since you’re ignoring the cert data. You’ll be vulnerable to a MITM attack.
You should instead take the advice of the second half of brian’s blog post and tell LWP::UserAgent about your root CA or install the root CA into your operating system’s list of trusted CAs (which means you don’t have to patch rt-mailgate).
Thomas
RT Training Sessions (http://bestpractical.com/services/training.html)
- San Francisco, CA, USA October 18 & 19, 2011
- Washington DC, USA October 31 & November 1, 2011
- Barcelona, Spain November 28 & 29, 2011