S/mime

slushpupie · April 23, 2008, 9:12pm

Our organization makes heavy use of S/MIME for signatures and encryption
of email, and we would like RT to indicate if a message is signed, and
has a valid signature. I saw a few mentions of it in the archives, but
most are old or inconclusive.

Related to this, we use these certs for client auth in web browers, has
anyone configured RT to use client certs for auth instead of cookies, or
HTTP auth?

Jay

Jesse_Vincent · April 23, 2008, 10:19pm

Our organization makes heavy use of S/MIME for signatures and
encryption
of email, and we would like RT to indicate if a message is signed, and
has a valid signature. I saw a few mentions of it in the archives,
but
most are old or inconclusive.

We did a full integration for a client, but haven’t found the cycles
to polish it for release just yet

Related to this, we use these certs for client auth in web browers,
has
anyone configured RT to use client certs for auth instead of
cookies, or
HTTP auth?

RT has support for HTTP auth (say, using apache’s support for certs)
as a flag in the config file.

PGP.sig (186 Bytes)

slushpupie · April 23, 2008, 11:42pm

Jesse Vincent wrote:

Our organization makes heavy use of S/MIME for signatures and encryption
of email, and we would like RT to indicate if a message is signed, and
has a valid signature. I saw a few mentions of it in the archives, but
most are old or inconclusive.

We did a full integration for a client, but haven’t found the cycles
to polish it for release just yet

Would you be willing to share the patch, even if it dosnt get included
in the release? It surely would be helpful

Related to this, we use these certs for client auth in web browers, has
anyone configured RT to use client certs for auth instead of cookies, or
HTTP auth?

RT has support for HTTP auth (say, using apache’s support for certs)
as a flag in the config file.

Yep, unfortunately this makes for really ugly usernames, as Apache sets
the username to the full DN of the cert, we would ideally like to just
use the CN, or map it to another name entirely (like the email address).

If its not really been done, Ill probably implement something using the
Cookie based external auth that is already out there.

Jay

Jesse_Vincent · April 28, 2008, 2:10pm

Jesse Vincent wrote:

Our organization makes heavy use of S/MIME for signatures and
encryption
of email, and we would like RT to indicate if a message is signed,
and
has a valid signature. I saw a few mentions of it in the
archives, but
most are old or inconclusive.

We did a full integration for a client, but haven’t found the cycles
to polish it for release just yet

Would you be willing to share the patch, even if it dosnt get included
in the release? It surely would be helpful

“polish it for release” includes “remove customer-specific identifying
details” which, as you might imagine, is relatively important

Related to this, we use these certs for client auth in web
browers, has
anyone configured RT to use client certs for auth instead of
cookies, or
HTTP auth?

RT has support for HTTP auth (say, using apache’s support for certs)
as a flag in the config file.

Yep, unfortunately this makes for really ugly usernames, as Apache
sets
the username to the full DN of the cert, we would ideally like to just
use the CN, or map it to another name entirely (like the email
address).

That bit is easy. In your RT config file:

sub RT::Interface::Web::WebCanonicalizeInfo {
my $user =$ENV{‘REMOTE_USER’};
$user =~ s/@SITE.CORP//i;
return $user;
}

PGP.sig (186 Bytes)