Rt-mailgate problem with 'SSLVerifyClient require'

Hi,
I’m having trouble with rt-mailgate and ssl…
I should first say that I’ve got RT up and working, with ssl, as long as no
client certificate is required. Both email and the web interfaces work fine.

However, as soon as I set (in httpd.conf)
SSLVerifyClient require
SSLVerifyDepth 1
…I can’t get mail through to the webserver anymore.

Does anyone have any idea what I’m doing wrong?
I’ve googled and read docs and rt-users until my eyes are dry - I have no idea
what to try next!

Below are details/results of things I’ve tried so far…

rt-mailgate --queue Bugs --action comment --debug --url https:// request_tracker.local < ~/foo
=> “500 SSL negotiation failed:”

apache/error_log:
[error] mod_ssl: SSL handshake failed (server request_tracker.local:443,
client 192.168.1.102) (OpenSSL library error follows)
[error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer
did not return a certificate [Hint: No CAs known to server for verification?]
[error] mod_ssl: SSL handshake failed (server request_tracker.local:443,
client 192.168.1.102) (OpenSSL library error follows)
[error] OpenSSL: error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer error no
certificate

I’ve tried installing:
Crypt::SSLeay, Net::SSLeay, libio-socket-ssl-perl

If I type in a shell 'GET https://request_tracker.local’
I get back 500 SSL negotiation failed:

I would like to only ‘listen’ on port 443 and require client certificates, but
for testing purposes, apache is still listening on port 80, too.

Here’s an httpd.conf extract:
(I’ve tried with and without the

DocumentRoot /frop/local/rt3/share/html
ServerName request_tracker.local
AddDefaultCharset UTF-8

PerlModule Apache::DBI
PerlRequire /frop/local/rt3/bin/webmux.pl

SetHandler perl-script PerlHandler RT::Mason

ErrorLog /frop/local/apache/logs/error_log
TransferLog /frop/local/apache/logs/access_log

This was a suggested solution to handle “mailgateway and ssl”

- supposed to open https to localhost, by connecting with http instead

http://marc.free.net.ph/message/20040114.021916.34ac6493.html

Alias /rt3/REST/1.0 /frop/local/rt3/share/html/REST/1.0
<Location “/rt3/REST/1.0”>
Satisfy Any
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
Order deny,allow
Allow from request_tracker.local
Allow from localhost

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
+eNULL

SSLCertificateFile /frop/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /frop/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /frop/local/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /frop/local/apache/conf/ssl.crt
SSLCACertificateFile /frop/local/apache/conf/ssl.crt/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1

Any help much appreciated - my head is hurting from the brick wall!
Cerion

Your 443 port may not be open. You can do a quick check by getting to a
command prompt and typing:
Unfortunately, ports are certainly open.

PS - I’m thinking that as long as you don’t require the client
certificate, it’s not using port 443, so all’s well. The services are
running, but not being accessed so you can’t tell they’re blocked by
your machine’s firewall.
I didn’t know it worked like that… Are you saying that even if I specify
https in the rt-mailgate command, it will fall back to ‘http’ if it can?
Mind you, mailing was previously fine even if I set apache to listen only to
443:

#Listen 80
Listen 443

Wouldn’t this stop that?

Can anyone confirm (give pointers to?) a setup that works when using
’SSLVerifyClient require’?
Many thanks,
Cerion

I’m having trouble with rt-mailgate and ssl…
I should first say that I’ve got RT up and working, with ssl, as long as
no client certificate is required. Both email and the web interfaces
work fine.

However, as soon as I set (in httpd.conf)
SSLVerifyClient require
SSLVerifyDepth 1
…I can’t get mail through to the webserver anymore.

Does anyone have any idea what I’m doing wrong?

Before I make any assumptions, are you really using client certificate
authentication?
-jeff

Yep - I need this to run over the internet.

I would have thought it was possible to set up apache so it didn’t require
client certs from localhost… but I don’t even know if I’m asking the right
questions!
Cerion

Yep - I need this to run over the internet.

I would have thought it was possible to set up apache so it didn’t require
client certs from localhost… but I don’t even know if I’m asking the right
questions!
Cerion

It is possible to set apache up to not require ssl or clients certs or
whatever from localhost (or any other specific address). Apache’s auth
systems is very flexible, make use of the Satisfy directive and read
apache’s docs. Or search the mailing list hard enough for the last
time it was posted.

seph

I’m having trouble with rt-mailgate and ssl…
I should first say that I’ve got RT up and working, with ssl, as long
as no client certificate is required. Both email and the web
interfaces work fine.

However, as soon as I set (in httpd.conf)
SSLVerifyClient require
SSLVerifyDepth 1
…I can’t get mail through to the webserver anymore.

Does anyone have any idea what I’m doing wrong?

Before I make any assumptions, are you really using client certificate
authentication?
-jeff

Yep - I need this to run over the internet.

I would have thought it was possible to set up apache so it didn’t require
client certs from localhost… but I don’t even know if I’m asking the
right questions!
Cerion

Ok, I give up…
Unless someone has some other suggestion, I’m just going to let apache listen
to both port 80 and 443, and firewall off port 80.
Horrible, I know, but this allows me to ‘require’ a client certificate on
https, but still let rt-mailgate connect via http…

Suuurrrely there has to be a better way?

Is there really no-one out there with ‘client certs required’, who has also
managed to get rt-mailgate working?

Many thanks,
Cerion

Yep - I need this to run over the internet.

I would have thought it was possible to set up apache so it didn’t
require client certs from localhost… but I don’t even know if I’m
asking the right questions!
Cerion

It is possible to set apache up to not require ssl or clients certs or
whatever from localhost (or any other specific address). Apache’s auth
systems is very flexible, make use of the Satisfy directive and read
apache’s docs. Or search the mailing list hard enough for the last
time it was posted.

seph

Really appreciate the feedback, but if you mean this:
Alias /rt3/REST/1.0 /opt/rt3/share/html/REST/1.0
<Location “/rt3/REST/1.0”>
Satisfy Any
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
Order deny,allow
Allow from localhost

It doesn’t work for me, if I also set “SSLVerifyClient require”

Can you verify that it should work?
Thanks,
Cerion

SSLVerifyClient can be set on a per-directory basis, so you can set the
self-service links that mailgate needs to ‘SSLVerifyClient none’ or you
could put up an entirely new virtual host on a separate port perhaps that
would accept connections from only localhost and would require no SSL
client verification. You may want to read the mod_ssl reference
documentation at www.modssl.org. It spells out these options.

Thanks,
Christian

Christian Gilmore
Technology Leader, CISSP
GeT Support Application Development
IBM Software Group

Cerion Armour-Brown cerion@terpsichore.ws
Sent by: rt-users-bounces@lists.bestpractical.com
02/20/04 04:06 AM

To
seph seph@directionless.org
cc
rt-users@lists.bestpractical.com
Subject
[rt-users] Re: rt-mailgate problem with 'SSLVerifyClient require’On Friday 20 February 2004 02:29, seph wrote:

Yep - I need this to run over the internet.

I would have thought it was possible to set up apache so it didn’t
require client certs from localhost… but I don’t even know if I’m
asking the right questions!
Cerion

It is possible to set apache up to not require ssl or clients certs or
whatever from localhost (or any other specific address). Apache’s auth
systems is very flexible, make use of the Satisfy directive and read
apache’s docs. Or search the mailing list hard enough for the last
time it was posted.

seph

Really appreciate the feedback, but if you mean this:
Alias /rt3/REST/1.0 /opt/rt3/share/html/REST/1.0
<Location “/rt3/REST/1.0”>
Satisfy Any
Options FollowSymLinks Indexes ExecCGI
AllowOverride None
Order deny,allow
Allow from localhost

It doesn’t work for me, if I also set “SSLVerifyClient require”

Can you verify that it should work?
Thanks,
Cerion

rt-users mailing list
rt-users@lists.bestpractical.com
http://lists.bestpractical.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm

smime.p7s (5.07 KB)

SSLVerifyClient can be set on a per-directory basis, so you can set the
self-service links that mailgate needs to ‘SSLVerifyClient none’ or you
could put up an entirely new virtual host on a separate port perhaps that
would accept connections from only localhost and would require no SSL
client verification. You may want to read the mod_ssl reference
documentation at www.modssl.org. It spells out these options.
Thanks,
Christian

Many thanks for all the pointers - perhaps I should have figured this out, but
really helps having some confirmation I’m on the right lines…
I implemented the separate virtual host idea - that works fine - but can’t get
the other way (of putting everything in one virtual host) to work yet… if
anyone felt like posting their http.conf snippet for this, I’d appreciate it
a LOT!
Thanks again,
Cerion

Can someone please verify what I’ve done here - I’m pretty new to this!

I found that if I specify “SSLVerifyClient require” in the base of the VH, it
overrides any further changes… so the answer was to put the
base “SSLVerifyClient require” also in a , like so:

<Directory “/opt/rt3/share/html”>
SSLVerifyClient require
SSLVerifyDepth 1
# Deny all non-SSL requests - guard against bad config:
SSLRequireSSL
# Don’t allow anything to override the SSL requirements:
SSLOptions +StrictRequire

Allow access to this dir:

<Directory “/opt/rt3/share/html/REST/1.0”>
Order Deny,Allow
Deny from all
# Allow access from local_hostname - ‘localhost’ won’t work!
Allow from my_hostname
SSLVerifyClient none

I understand now that this works because on a basis, an SSL
re-negotiation is done AFTER the header info is received… as opposed to the
VH level, the SSL handshake happens BEFORE header info is received, so can’t
get hostname before too late.

Can anyone tell me if there is (or is not!) anything bad, security-wise, about
what I’ve done here, as opposed to setting the “SSLVerifyClient require” at
the VH level?

Many thanks,
Cerion