[rt-users] rt-mailgate problem with 'SSLVerifyClient require'
Cerion Armour-Brown
cerion at terpsichore.ws
Wed Feb 18 17:13:12 EST 2004
On Wednesday 18 February 2004 22:22, Mark Williams wrote:
> Your 443 port may not be open. You can do a quick check by getting to a
> command prompt and typing:
Unfortunately, ports are certainly open.
> PS - I'm thinking that as long as you don't require the client
> certificate, it's not using port 443, so all's well. The services are
> running, but not being accessed so you can't tell they're blocked by
> your machine's firewall.
I didn't know it worked like that... Are you saying that even if I specify
https in the rt-mailgate command, it will fall back to 'http' if it can?
Mind you, mailing was previously fine even if I set apache to listen only to
443:
---
<IfDefine SSL>
#Listen 80
Listen 443
</IfDefine>
---
Wouldn't this stop that?
Can anyone confirm (give pointers to?) a setup that works when using
'SSLVerifyClient require'?
Many thanks,
Cerion
> >>> Cerion Armour-Brown <cerion at terpsichore.ws> 02/18/04 08:49AM >>>
>
> Hi,
> I'm having trouble with rt-mailgate and ssl...
> I should first say that I've got RT up and working, with ssl, as long
> as no
> client certificate is required. Both email and the web interfaces work
> fine.
>
> However, as soon as I set (in httpd.conf)
> SSLVerifyClient require
> SSLVerifyDepth 1
> ...I can't get mail through to the webserver anymore.
>
> Does anyone have any idea what I'm doing wrong?
> I've googled and read docs and rt-users until my eyes are dry - I have
> no idea
> what to try next!
>
> Below are details/results of things I've tried so far...
>
> `rt-mailgate --queue Bugs --action comment --debug --url https://
> request_tracker.local < ~/foo`
> => "500 SSL negotiation failed:"
>
> apache/error_log:
> ---
> [error] mod_ssl: SSL handshake failed (server
> request_tracker.local:443,
> client 192.168.1.102) (OpenSSL library error follows)
> [error] OpenSSL: error:140890C7:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:peer
> did not return a certificate [Hint: No CAs known to server for
> verification?]
> [error] mod_ssl: SSL handshake failed (server
> request_tracker.local:443,
> client 192.168.1.102) (OpenSSL library error follows)
> [error] OpenSSL: error:140710CA:SSL routines:REQUEST_CERTIFICATE:peer
> error no
> certificate
> ---
>
> I've tried installing:
> Crypt::SSLeay, Net::SSLeay, libio-socket-ssl-perl
>
> If I type in a shell 'GET https://request_tracker.local'
> I get back 500 SSL negotiation failed:
>
> I would like to only 'listen' on port 443 and require client
> certificates, but
> for testing purposes, apache is still listening on port 80, too.
>
> Here's an httpd.conf extract:
> (I've tried with and without the
> <VirtualHost _default_:443>
> DocumentRoot /frop/local/rt3/share/html
> ServerName request_tracker.local
> AddDefaultCharset UTF-8
>
> PerlModule Apache::DBI
> PerlRequire /frop/local/rt3/bin/webmux.pl
>
> <Location />
> SetHandler perl-script
> PerlHandler RT::Mason
> </Location>
>
> ErrorLog /frop/local/apache/logs/error_log
> TransferLog /frop/local/apache/logs/access_log
>
> # This was a suggested solution to handle "mailgateway and ssl"
> # - supposed to open https to localhost, by connecting with http
> instead
> # http://marc.free.net.ph/message/20040114.021916.34ac6493.html
> #
> Alias /rt3/REST/1.0 /frop/local/rt3/share/html/REST/1.0
> <Location "/rt3/REST/1.0">
> Satisfy Any
> Options FollowSymLinks Indexes ExecCGI
> AllowOverride None
> Order deny,allow
> Allow from request_tracker.local
> Allow from localhost
> </Location>
>
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:
> +eNULL
>
> SSLCertificateFile /frop/local/apache/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /frop/local/apache/conf/ssl.key/server.key
> SSLCertificateChainFile /frop/local/apache/conf/ssl.crt/ca.crt
> SSLCACertificatePath /frop/local/apache/conf/ssl.crt
> SSLCACertificateFile /frop/local/apache/conf/ssl.crt/ca.crt
> SSLVerifyClient require
> SSLVerifyDepth 1
> --------------
>
>
> Any help _much_ appreciated - my head is hurting from the brick wall!
> Cerion
>
> _______________________________________________
> rt-users mailing list
> rt-users at lists.bestpractical.com
> http://lists.bestpractical.com/mailman/listinfo/rt-users
>
> Have you read the FAQ? The RT FAQ Manager lives at
> http://fsck.com/rtfm
More information about the rt-users
mailing list