[rt-users] RT 4.0.2 SSL Email Verification Failed

Thomas Sibley trs at bestpractical.com
Mon Oct 17 11:55:29 EDT 2011


On 10/17/2011 11:51 AM, Luciano Ernesto da Silva wrote:
> I was testing RT with a self-signed certificate(SSL), I send a email to
> queue, but in /var/log/mail I got this:
>
> (temporary failure. Command output: An Error Occurred =================
> 500 Can't connect to rt4.dev.ufrgs.br:443 (certificate verify failed) )
>
[snip]
>
> As described here
> http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocolhttps.html
> I made and applied a patch against file
>
> Rt-mailgate, around line 151:
>
> - my $ua = LWP::UserAgent->new();
>
> + my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
>
> Patch link here: http://pastebin.com/DQCH3R8L
>
> Now perl don’t check the certificate, and the queues receive all messages.
>
> *My question: Is this the correct approach for that*?

No, this is wrong from a security standpoint, although it works since 
you're ignoring the cert data.  You'll be vulnerable to a MITM attack. 
You should instead take the advice of the second half of brian's blog 
post and tell LWP::UserAgent about your root CA or install the root CA 
into your operating system's list of trusted CAs (which means you don't 
have to patch rt-mailgate).

Thomas



More information about the rt-users mailing list