[rt-users] rt-mailgate problem with 'SSLVerifyClient require'

Cerion Armour-Brown cerion at terpsichore.ws
Wed Feb 18 17:13:12 EST 2004 

On Wednesday 18 February 2004 22:22, Mark Williams wrote:
> Your 443 port may not be open. You can do a quick check by getting to a
> command prompt and typing:
Unfortunately, ports are certainly open.

> PS - I'm thinking that as long as you don't require the client
> certificate, it's not using port 443, so all's well. The services are
> running, but not being accessed so you can't tell they're blocked by
> your machine's firewall.
I didn't know it worked like that... Are you saying that even if I specify 
https in the rt-mailgate command, it will fall back to 'http' if it can?
Mind you, mailing was previously fine even if I set apache to listen only to 
443:
---
<IfDefine SSL>
#Listen 80
Listen 443
</IfDefine>
---
Wouldn't this stop that?

Can anyone confirm (give pointers to?) a setup that works when using 
'SSLVerifyClient require'?
Many thanks,
Cerion



> >>> Cerion Armour-Brown <cerion at terpsichore.ws> 02/18/04 08:49AM >>>
>
> Hi,
> I'm having trouble with rt-mailgate and ssl...
> I should first say that I've got RT up and working, with ssl, as long
> as no
> client certificate is required.  Both email and the web interfaces work
> fine.
>
> However, as soon as I set (in httpd.conf)
> SSLVerifyClient require
> SSLVerifyDepth  1
> ...I can't get mail through to the webserver anymore.
>
> Does anyone have any idea what I'm doing wrong?
> I've googled and read docs and rt-users until my eyes are dry - I have
> no idea
> what to try next!
>
> Below are details/results of things I've tried so far...
>
> `rt-mailgate --queue Bugs --action comment --debug --url https://
> request_tracker.local < ~/foo`
> => "500 SSL negotiation failed:"
>
> apache/error_log:
> ---
> [error] mod_ssl: SSL handshake failed (server
> request_tracker.local:443,
> client 192.168.1.102) (OpenSSL library error follows)
> [error] OpenSSL: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer
> did not return a certificate [Hint: No CAs known to server for
> verification?]
> [error] mod_ssl: SSL handshake failed (server
> request_tracker.local:443,
> client 192.168.1.102) (OpenSSL library error follows)
> [error] OpenSSL: error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer
> error no
> certificate
> ---
>
> I've tried installing:
> Crypt::SSLeay, Net::SSLeay, libio-socket-ssl-perl
>
> If I type in a shell 'GET https://request_tracker.local'
> I get back 500 SSL negotiation failed:
>
> I would like to only 'listen' on port 443 and require client
> certificates, but
> for testing purposes, apache is still listening on port 80, too.
>
> Here's an httpd.conf extract:
> (I've tried with and without the
> <VirtualHost _default_:443>
>    DocumentRoot /frop/local/rt3/share/html
>    ServerName request_tracker.local
>    AddDefaultCharset UTF-8
>
>    PerlModule Apache::DBI
>    PerlRequire /frop/local/rt3/bin/webmux.pl
>
>    <Location />
>       SetHandler perl-script
>       PerlHandler RT::Mason
>    </Location>
>
>    ErrorLog /frop/local/apache/logs/error_log
>    TransferLog /frop/local/apache/logs/access_log
>
>    # This was a suggested solution to handle "mailgateway and ssl"
>    #  - supposed to open https to localhost, by connecting with http
> instead
>    # http://marc.free.net.ph/message/20040114.021916.34ac6493.html
>    #
>    Alias /rt3/REST/1.0  /frop/local/rt3/share/html/REST/1.0
>    <Location "/rt3/REST/1.0">
>       Satisfy Any
>       Options FollowSymLinks Indexes ExecCGI
>       AllowOverride None
>       Order deny,allow
>       Allow from request_tracker.local
>       Allow from localhost
>    </Location>
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
> +eNULL
>
> SSLCertificateFile /frop/local/apache/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /frop/local/apache/conf/ssl.key/server.key
> SSLCertificateChainFile /frop/local/apache/conf/ssl.crt/ca.crt
> SSLCACertificatePath /frop/local/apache/conf/ssl.crt
> SSLCACertificateFile /frop/local/apache/conf/ssl.crt/ca.crt
> SSLVerifyClient require
> SSLVerifyDepth  1
> --------------
>
>
> Any help _much_ appreciated - my head is hurting from the brick wall!
> Cerion
>
> _______________________________________________
> rt-users mailing list
> rt-users at lists.bestpractical.com
> http://lists.bestpractical.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at
> http://fsck.com/rtfm

More information about the rt-users mailing list