[ww-bugs] Bug 3407: Failed to open the mailer: IO::Socket::SSL->start_SSL failed: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

bugzilla-daemon at webwork.maa.org bugzilla-daemon at webwork.maa.org
Tue Sep 1 09:11:11 EDT 2015 

http://bugs.webwork.maa.org/show_bug.cgi?id=3407


Mike Gage <gage at math.rochester.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gage at math.rochester.edu




--- Comment #1 from Mike Gage <gage at math.rochester.edu>  2015-09-01 09:11:10 ---
Mike,

Okay, to resume: the problem seems to be that Mail::Sender is trying to encrypt
its SMTP connection with the mail gateway smtp-gw.rochester.edu, but for
whatever reason it can't validate the authenticity of the certificates provided
by that gateway.

I suspected that our code might be trying to validate the certificates using
the certificate chains stored in /opt/webwork/ssl, and due to the change in
filenames, the code can no longer find those chains. But if so, I can't find
where in the code the files are being called.

In any case, I've copied the old server certificates and the
"Apache_Plesk_Install.txt" file (which contains some certificate chains) to
their old locations. Let me know if this solves the problem in the short term.

As to a possible long term fix:

Apparently "TLS_allowed" is set to "true" by default in Mail::Sender. Since
smtp-gw offers to use SSL, Mail::Sender accepts the invitation and then balks
because it can't verify the certificates. I would advise setting TLS_allowed to
"false". Please note that Mail::Sender is called not just in 

 /opt/webwork/webwork2/lib/WeBWorK/ContentGenerator/Feedback.pm

but also in a few other places, like

 /opt/webwork/webwork2/lib/WeBWorK/Utils/DelayedMailer.pm

So you may need to set TLS_allowed to false there, as well.

In our case, at least, there is no big advantage to using SSL with
smtp-gw.rochester.edu, as the gateway doesn't require it. So SSL doesn't
provide us with authentication; anyone can fake messages from WeBWorK if they
want to, SSL or no.

The only advantage SSL does provide is privacy from anyone potentially
eavesdropping on the network connection between WeBWorK and smtp-gw. Which
isn't very likely. And even if that link is secured by SSL, the email itself
isn't secure once it gets delivered. Is there any information sent in webwork
email that's particularly sensitive?

- Hoss

-- 
Configure bugmail: http://bugs.webwork.maa.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

More information about the webwork-bugs mailing list