[rt-users] rt-mailgate problem with 'SSLVerifyClient require'

Cerion Armour-Brown cerion at terpsichore.ws
Wed Feb 18 11:49:16 EST 2004 

Hi,
I'm having trouble with rt-mailgate and ssl...
I should first say that I've got RT up and working, with ssl, as long as no 
client certificate is required.  Both email and the web interfaces work fine.

However, as soon as I set (in httpd.conf)
SSLVerifyClient require
SSLVerifyDepth  1
...I can't get mail through to the webserver anymore.

Does anyone have any idea what I'm doing wrong?
I've googled and read docs and rt-users until my eyes are dry - I have no idea 
what to try next!

Below are details/results of things I've tried so far...

`rt-mailgate --queue Bugs --action comment --debug --url https://
request_tracker.local < ~/foo`
=> "500 SSL negotiation failed:"

apache/error_log:
---
[error] mod_ssl: SSL handshake failed (server request_tracker.local:443, 
client 192.168.1.102) (OpenSSL library error follows)
[error] OpenSSL: error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer 
did not return a certificate [Hint: No CAs known to server for verification?]
[error] mod_ssl: SSL handshake failed (server request_tracker.local:443, 
client 192.168.1.102) (OpenSSL library error follows)
[error] OpenSSL: error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer error no 
certificate
---

I've tried installing:
Crypt::SSLeay, Net::SSLeay, libio-socket-ssl-perl

If I type in a shell 'GET https://request_tracker.local'
I get back 500 SSL negotiation failed:

I would like to only 'listen' on port 443 and require client certificates, but 
for testing purposes, apache is still listening on port 80, too.

Here's an httpd.conf extract:
(I've tried with and without the 
<VirtualHost _default_:443>
   DocumentRoot /frop/local/rt3/share/html
   ServerName request_tracker.local
   AddDefaultCharset UTF-8

   PerlModule Apache::DBI
   PerlRequire /frop/local/rt3/bin/webmux.pl

   <Location />
      SetHandler perl-script
      PerlHandler RT::Mason
   </Location>

   ErrorLog /frop/local/apache/logs/error_log
   TransferLog /frop/local/apache/logs/access_log

   # This was a suggested solution to handle "mailgateway and ssl"
   #  - supposed to open https to localhost, by connecting with http instead
   # http://marc.free.net.ph/message/20040114.021916.34ac6493.html
   #
   Alias /rt3/REST/1.0  /frop/local/rt3/share/html/REST/1.0
   <Location "/rt3/REST/1.0">
      Satisfy Any
      Options FollowSymLinks Indexes ExecCGI
      AllowOverride None
      Order deny,allow
      Allow from request_tracker.local
      Allow from localhost
   </Location>

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
+eNULL

SSLCertificateFile /frop/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /frop/local/apache/conf/ssl.key/server.key
SSLCertificateChainFile /frop/local/apache/conf/ssl.crt/ca.crt
SSLCACertificatePath /frop/local/apache/conf/ssl.crt
SSLCACertificateFile /frop/local/apache/conf/ssl.crt/ca.crt
SSLVerifyClient require
SSLVerifyDepth  1
--------------


Any help _much_ appreciated - my head is hurting from the brick wall!
Cerion

More information about the rt-users mailing list