Your message dated Sun, 07 Jun 2020 21:33:50 +0000
with message-id <e1ji2vo-000baf...@fasolo.debian.org>
and subject line Bug#861089: fixed in pound 3.0~d-1
has caused the Debian Bug report #861089,
regarding Improve Handling of certificates for Pound [PATCH]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861089
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pound
Version: 2.7-1.3
Hi everyone,
This patch allows Pound to present ECDHA certificates to clients that
can use them while still presenting RSA certificates to older clients.
Robert de Bath <robert$@debath.co.uk>
Index: pound-2.7/config.c
===================================================================
This patch alters the way the "Cert" loads certificates and keys.
If the Common Name on the certificate is distinct from those on other
ones the operation is unchanged. However, if the Common Name on this
certificate matches one used on a previous certificate this one will
be loaded into the same SSL context as the previous one. The result is
that if you load two (or three) certificates will different signature
algorithms all the OpenSSL ciphers that require any of the loaded
algorithms will be available to communicate with the client.
This allows ECDHA certificates to be presented to clients that can use
them while still presenting RSA certificates to older clients.
--- pound-2.7.orig/config.c 2017-04-22 18:42:23.412469733 +0100
+++ pound-2.7/config.c 2017-04-22 18:43:16.020025597 +0100
@@ -1041,50 +1041,72 @@ parse_HTTPS(void)
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
/* we have support for SNI */
FILE *fcert;
- char server_name[MAXBUF], *cp;
+ char server_name[MAXBUF], *cp, *server_cname;
X509 *x509;
+ regmatch_t CN_matches[2];
+ int extra_cert = 0;
if(has_other)
conf_err("Cert directives MUST precede other SSL-specific
directives - aborted");
+
+ lin[matches[1].rm_eo] = '\0';
+ if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
+ conf_err("ListenHTTPS: could not open certificate file");
+ if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
+ conf_err("ListenHTTPS: could not get certificate subject");
+ fclose(fcert);
+ memset(server_name, '\0', MAXBUF);
+ X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
+
+ if(!regexec(&CNName, server_name, 2, CN_matches, 0)) {
+ server_name[CN_matches[1].rm_eo] = '\0';
+ if((server_cname = strdup(server_name + CN_matches[1].rm_so))
== NULL)
+ conf_err("ListenHTTPS: could not set certificate
subject");
+ } else
+ conf_err("ListenHTTPS: could not get certificate CN");
+
if(res->ctx) {
for(pc = res->ctx; pc->next; pc = pc->next)
- ;
- if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
- conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
- pc = pc->next;
+ if (strcmp(pc->server_name, server_cname) == 0) {
+ extra_cert = 1;
+ break;
+ }
+ if (!extra_cert && strcmp(pc->server_name, server_cname) == 0)
+ extra_cert = 1;
+
+ if (!extra_cert ) {
+ if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
+ conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
+ pc = pc->next;
+ }
} else {
if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = res->ctx;
}
- if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
- conf_err("SSL_CTX_new failed - aborted");
- pc->server_name = NULL;
- pc->next = NULL;
- lin[matches[1].rm_eo] = '\0';
+
+ if (!extra_cert) {
+ if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
+ conf_err("SSL_CTX_new failed - aborted");
+ pc->server_name = NULL;
+ pc->next = NULL;
+ }
+
if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
matches[1].rm_so) != 1)
conf_err("SSL_CTX_use_certificate_chain_file failed -
aborted");
if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + matches[1].rm_so,
SSL_FILETYPE_PEM) != 1)
conf_err("SSL_CTX_use_PrivateKey_file failed - aborted");
if(SSL_CTX_check_private_key(pc->ctx) != 1)
conf_err("SSL_CTX_check_private_key failed - aborted");
- if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
- conf_err("ListenHTTPS: could not open certificate file");
- if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
- conf_err("ListenHTTPS: could not get certificate subject");
- fclose(fcert);
- memset(server_name, '\0', MAXBUF);
- X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
- pc->subjectAltNameCount = 0;
- pc->subjectAltNames = NULL;
- pc->subjectAltNames = get_subjectaltnames(x509,
&(pc->subjectAltNameCount));
+
+ if (!extra_cert) {
+ pc->server_name = server_cname;
+ pc->subjectAltNameCount = 0;
+ pc->subjectAltNames = NULL;
+ pc->subjectAltNames = get_subjectaltnames(x509,
&(pc->subjectAltNameCount));
+ } else
+ free(server_cname;
X509_free(x509);
- if(!regexec(&CNName, server_name, 4, matches, 0)) {
- server_name[matches[1].rm_eo] = '\0';
- if((pc->server_name = strdup(server_name + matches[1].rm_so))
== NULL)
- conf_err("ListenHTTPS: could not set certificate
subject");
- } else
- conf_err("ListenHTTPS: could not get certificate CN");
#else
/* no SNI support */
if(has_other)
--
Rob. (Robert de Bath <robert$ @ debath.co.uk>)
<http://www.debath.co.uk/>
--- End Message ---
--- Begin Message ---
Source: pound
Source-Version: 3.0~d-1
Done: Carsten Leonhardt <l...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Leonhardt <l...@debian.org> (supplier of updated pound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Jun 2020 23:21:44 +0200
Source: pound
Binary: pound pound-dbgsym
Architecture: source amd64
Version: 3.0~d-1
Distribution: experimental
Urgency: medium
Maintainer: Carsten Leonhardt <l...@debian.org>
Changed-By: Carsten Leonhardt <l...@debian.org>
Description:
pound - reverse proxy, load balancer and HTTPS front-end for Web servers
Closes: 456667 490192 733820 861089
Changes:
pound (3.0~d-1) experimental; urgency=medium
.
* New experimental upstream version.
Pound was completely rewritten, most bug reports no longer apply
(Closes: #861089, #490192, #733820, #456667).
* Update debian/watch file.
* Adapt much of the packaging to the new version.
* Complies with standards version 4.5.0
* Raise debhelper compat level to 13
* Run as user "_pound"
Checksums-Sha1:
b38e4986802cf2dae6054df79ce63cd576559c8c 2242 pound_3.0~d-1.dsc
c8e371d4c120b8195f4b4c8c3072764dab0f6f06 75820 pound_3.0~d.orig.tar.gz
2d48e21b4ab9273d010780a8261d4d900348e749 195 pound_3.0~d.orig.tar.gz.asc
6a374f1738023f8936421ea183a6a1259afd3da4 9032 pound_3.0~d-1.debian.tar.xz
af2d0ee715b2f9c9274ab1c778b4abb5174396af 103108 pound-dbgsym_3.0~d-1_amd64.deb
d1e5fd149d5df32082ebe8700b22bcdc618ecb28 7187 pound_3.0~d-1_amd64.buildinfo
c8b82e5384446324f91465bad4363886a102204e 60796 pound_3.0~d-1_amd64.deb
Checksums-Sha256:
962cadce9d07aed1fa7bd30d9e0f13a5ec13c0591c551a7493acceebff5936e4 2242
pound_3.0~d-1.dsc
d99c127b0b233f500b0936f18afdb7cb01c7a0caf9b612430a56a96303379155 75820
pound_3.0~d.orig.tar.gz
e9e4bf03ed85126d141d23a0df6c6e884e9caaa1cdcd4a78b51012d78065fae7 195
pound_3.0~d.orig.tar.gz.asc
ea2972cf34d6e0dcda4da559d0258f91500b58745fb2cbd7629466d0dee13bd1 9032
pound_3.0~d-1.debian.tar.xz
c6f0885fe2e802a1aa25a08ec9b3fd3d15bebff4f90ffefb909d878596f13bda 103108
pound-dbgsym_3.0~d-1_amd64.deb
b6fdb9c99e8632a54e8a2a1020bafc9383562c219b32c0ae9ea51effdcef1757 7187
pound_3.0~d-1_amd64.buildinfo
fd9c2c753a883d7677cdafb780d989ffe5bcc95eb352bba9748f610e415c7fb6 60796
pound_3.0~d-1_amd64.deb
Files:
82f57f1bce560dccb918b1d69b4d651e 2242 net optional pound_3.0~d-1.dsc
2a9dc5623ad323a8af6792b8a3b69dcc 75820 net optional pound_3.0~d.orig.tar.gz
211891e6e74676968de60690112fb40c 195 net optional pound_3.0~d.orig.tar.gz.asc
4b9e23bc4a565839926b3737063b06f8 9032 net optional pound_3.0~d-1.debian.tar.xz
61024c77e209f08a8e2210b3ae5fd0d6 103108 debug optional
pound-dbgsym_3.0~d-1_amd64.deb
c035bd46c21e367c1493f680d3eb2296 7187 net optional
pound_3.0~d-1_amd64.buildinfo
4b2848b4121a553bd02ca6bc9a05090a 60796 net optional pound_3.0~d-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEETxO/995XSygF6EUmKrIctfbulV4FAl7dXAsPHGxlb0BkZWJp
YW4ub3JnAAoJECqyHLX27pVeZXoP/1c+utBT3EMOSFjIbx/bXUaQSrF1dZfKTUNG
VppqOXhQHjCLLzEhEKtj5ue452wlrwlnMO12BIkm8CYF7xQS12jLxNikjYbxW6M3
LtDFTvLwxmWBFOuG+3jyOcnru8rtQAZBR9NOlXGU4aqGcTIlh8opJgH9FLhpXR0U
edY5LRxRoBbhIl3JhrxhfCrwbXroTXm5PjSbyJHjRTtiW1+GcsFO900nO3Gfg++s
t2R87PGDuz42akVmJfypfE3QMkuWkhbRQewls3dZ3yibIwMFN1p7JgHWuL/O4nRs
uxMEqBY0El8SYmV9Cl9tNMgV1MHOb1uzrBWERddVkcjIgNV12S2iPmG4Xhqxh8Q5
0Q2Aa0CMnmv9x+43noCSw7iMm961U0w7PqzhfjDdSYcWXgJKpr9kzBp5jRf+Vw1g
v/VCNOv4RCBXICG4OU+Y8P9hjbCUUCy8RMRJq7AYHIQy5kbO1EFi22n325SvmEJD
RWIjMskB0rOMOmzv+3zkU8SoAeijGG9RzzzB0uqzfn1naIhXC8wsUeWTpE3PS5bQ
oJR6jO36TTsUqdhKrEKBhEPd/B772mzp/g1rIp9Ce0/MV0UrHxpwTNBT2DQguynS
ROfDpwSC8S4uz2ATakA+St+Wm9UU6V2kXoWiEY7LmXqJzGflZ+h9igMiCHQRtjUH
7FPhkBEC
=66gV
-----END PGP SIGNATURE-----
--- End Message ---
