[rt-users] RES: RT 4.0.2 SSL Email Verification Failed

Luciano Ernesto da Silva luciano at cpd.ufrgs.br
Mon Oct 17 12:27:24 EDT 2011


Thomas,

I made a motification for LWP User Agent in line 151(rt-mailgate), and seems to work ok. 

151     my $ua = LWP::UserAgent->new(ssl_opts => {SSL_ca_file => '/etc/ssl/certs/mycert.crt'});
152     # my $ua   = LWP::UserAgent->new();

Ok?

Luciano



-----Mensagem original-----
De: rt-users-bounces at lists.bestpractical.com [mailto:rt-users-bounces at lists.bestpractical.com] Em nome de Thomas Sibley
Enviada em: segunda-feira, 17 de outubro de 2011 13:55
Para: rt-users at lists.bestpractical.com
Assunto: Re: [rt-users] RT 4.0.2 SSL Email Verification Failed

On 10/17/2011 11:51 AM, Luciano Ernesto da Silva wrote:
> I was testing RT with a self-signed certificate(SSL), I send a email 
> to queue, but in /var/log/mail I got this:
>
> (temporary failure. Command output: An Error Occurred 
> =================
> 500 Can't connect to rt4.myurl.com :443 (certificate verify failed) 
> )
>
[snip]
>
> As described here
> http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotoc
> olhttps.html I made and applied a patch against file
>
> Rt-mailgate, around line 151:
>
> - my $ua = LWP::UserAgent->new();
>
> + my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
>
> Patch link here: http://pastebin.com/DQCH3R8L
>
> Now perl don’t check the certificate, and the queues receive all messages.
>
> *My question: Is this the correct approach for that*?

No, this is wrong from a security standpoint, although it works since you're ignoring the cert data.  You'll be vulnerable to a MITM attack. 
You should instead take the advice of the second half of brian's blog post and tell LWP::UserAgent about your root CA or install the root CA into your operating system's list of trusted CAs (which means you don't have to patch rt-mailgate).

Thomas
--------
RT Training Sessions (http://bestpractical.com/services/training.html)
*  San Francisco, CA, USA  October 18 & 19, 2011
*  Washington DC, USA  October 31 & November 1, 2011
*  Barcelona, Spain  November 28 & 29, 2011


More information about the rt-users mailing list