[Rt-commit] rt branch, 4.0/mailgate-ssl-deps, updated. rt-4.0.4-119-ga95faf0
Alex Vandiver
alexmv at bestpractical.com
Fri Jan 13 11:00:24 EST 2012
The branch, 4.0/mailgate-ssl-deps has been updated
via a95faf0e050f8616e210f360a68d42504aee32b6 (commit)
via 4722d9378bf29d701f516d5de8570b39077b169f (commit)
from 0b7e1df5940526422603a1acb31d7ac053beba66 (commit)
Summary of changes:
bin/rt-mailgate.in | 35 ++++++++++++++++++++++++++---------
1 files changed, 26 insertions(+), 9 deletions(-)
- Log -----------------------------------------------------------------
commit 4722d9378bf29d701f516d5de8570b39077b169f
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Jan 13 10:30:17 2012 -0500
Providing --no-verify-ssl with an old LWP should tmpfail, not hardfail
diff --git a/bin/rt-mailgate.in b/bin/rt-mailgate.in
index 7badfe7..5513478 100755
--- a/bin/rt-mailgate.in
+++ b/bin/rt-mailgate.in
@@ -63,11 +63,6 @@ GetOptions( $opts, "queue=s", "action=s", "url=s",
"timeout=i", "verify-ssl!",
);
-die "Verifying SSL certificates requires LWP::UserAgent 6.0 or higher.\n"
- if $opts->{"verify-ssl"} and not LWP::UserAgent->can("ssl_opts");
-
-$opts->{"verify-ssl"} = 1 unless defined $opts->{"verify-ssl"};
-
my $gateway = RT::Client::MailGateway->new();
$gateway->run($opts);
@@ -148,6 +143,13 @@ sub validate_cli_flags {
"$0 invoked improperly\n\nNo 'url' provided to mail gateway!\n";
return $self->permfail();
}
+
+ if ($opts->{"verify-ssl"} and not LWP::UserAgent->can("ssl_opts")) {
+ print STDERR "Verifying SSL certificates requires LWP::UserAgent 6.0 or higher.\n";
+ return $self->tempfail();
+ }
+
+ $opts->{"verify-ssl"} = 1 unless defined $opts->{"verify-ssl"};
}
sub get_useragent {
commit a95faf0e050f8616e210f360a68d42504aee32b6
Author: Alex Vandiver <alexmv at bestpractical.com>
Date: Fri Jan 13 10:59:46 2012 -0500
Support passing an explicit --ca-file for self-signed certs
This is preferable to implying that self-signed certs should just give
up and pass --no-verify-ssl.
diff --git a/bin/rt-mailgate.in b/bin/rt-mailgate.in
index 5513478..ceb8c37 100755
--- a/bin/rt-mailgate.in
+++ b/bin/rt-mailgate.in
@@ -60,7 +60,7 @@ use Getopt::Long;
my $opts = { };
GetOptions( $opts, "queue=s", "action=s", "url=s",
"jar=s", "help", "debug", "extension=s",
- "timeout=i", "verify-ssl!",
+ "timeout=i", "verify-ssl!", "ca-file=s",
);
my $gateway = RT::Client::MailGateway->new();
@@ -144,7 +144,8 @@ sub validate_cli_flags {
return $self->permfail();
}
- if ($opts->{"verify-ssl"} and not LWP::UserAgent->can("ssl_opts")) {
+ if (($opts->{'ca-file'} or $opts->{"verify-ssl"})
+ and not LWP::UserAgent->can("ssl_opts")) {
print STDERR "Verifying SSL certificates requires LWP::UserAgent 6.0 or higher.\n";
return $self->tempfail();
}
@@ -157,8 +158,13 @@ sub get_useragent {
my $opts = shift;
my $ua = LWP::UserAgent->new();
$ua->cookie_jar( { file => $opts->{'jar'} } ) if $opts->{'jar'};
- $ua->ssl_opts( verify_hostname => $opts->{'verify-ssl'} )
- if $ua->can("ssl_opts");
+
+ if ( $ua->can("ssl_opts") ) {
+ $ua->ssl_opts( verify_hostname => $opts->{'verify-ssl'} );
+ $ua->ssl_opts( SSL_ca_file => $opts->{'ca-file'} )
+ if $opts->{'ca-file'};
+ }
+
return $ua;
}
@@ -365,7 +371,16 @@ libraries. RT will detect and install these dependencies if you pass the
C<--enable-ssl-mailgate> flag to configure as documented in RT's README.
If you have a self-signed SSL certificate, you may also need to pass
-C<--no-verify-ssl>, below.
+C<--ca-file> or C<--no-verify-ssl>, below.
+
+=item C<--ca-file> I<path>
+
+Specifies the path to the public SSL certificate fr the certificate
+authority that should be used to verify the website's SSL certificate.
+If your webserver uses a self-signed certificate, you should
+preferentially use this option over C<--no-verify-ssl>, as it will
+ensure that the self-signed certificate that the mailgate is seeing the
+I<right> self-signed certificate.
=item C<--no-verify-ssl>
-----------------------------------------------------------------------
More information about the Rt-commit
mailing list