[rt-users] RT 4.0.2 SSL Email Verification Failed

2011-10-17 Thread Luciano Ernesto da Silva 
Hello,

 

I was testing RT with a  self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:

 

(temporary failure. Command output: An Error Occurred =
500 Can't connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )

 

No errors in other log files, like syslog or rt.log. The queues were not
receiving mails.

 

I installed all PERL dependencies to SSL, as described here
http://www.gossamer-threads.com/lists/rt/users/71129 :

 

Pod::Usage, HTML::TreeBuilder, Getopt::Long, HTML::FormatText,
LWP::UserAgent

 

And

Crypt::SSLeay, LWP::Protocol::https 

 

 

As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocol
https.html I made and applied a  patch against file

Rt-mailgate, around line 151:

-my $ua   = LWP::UserAgent-new();

+my $ua = LWP::UserAgent-new(ssl_opts = { verify_hostname = 0 });

 

Patch link here: http://pastebin.com/DQCH3R8L 

 

Now perl don't check the certificate, and the queues receive all
messages.

 

My question: Is this the correct approach for that? 

 

 

 

Luciano Silva

 

 


RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA — October 18  19, 2011
*  Washington DC, USA — October 31  November 1, 2011
*  Barcelona, Spain — November 28  29, 2011

Re: [rt-users] RT 4.0.2 SSL Email Verification Failed

2011-10-17 Thread Thomas Sibley 

On 10/17/2011 11:51 AM, Luciano Ernesto da Silva wrote:

I was testing RT with a self-signed certificate(SSL), I send a email to
queue, but in /var/log/mail I got this:

(temporary failure. Command output: An Error Occurred =
500 Can't connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )


[snip]


As described here
http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocolhttps.html
I made and applied a patch against file

Rt-mailgate, around line 151:

- my $ua = LWP::UserAgent-new();

+ my $ua = LWP::UserAgent-new(ssl_opts = { verify_hostname = 0 });

Patch link here: http://pastebin.com/DQCH3R8L

Now perl don’t check the certificate, and the queues receive all messages.

*My question: Is this the correct approach for that*?


No, this is wrong from a security standpoint, although it works since 
you're ignoring the cert data.  You'll be vulnerable to a MITM attack. 
You should instead take the advice of the second half of brian's blog 
post and tell LWP::UserAgent about your root CA or install the root CA 
into your operating system's list of trusted CAs (which means you don't 
have to patch rt-mailgate).


Thomas

RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18  19, 2011
*  Washington DC, USA  October 31  November 1, 2011
*  Barcelona, Spain  November 28  29, 2011