On 7/27/2011 10:16 AM, Erik Trauschke wrote:
On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote:
Well, do your certs have the CNs properly set?
How do I ensure that ?
I am not even setting the CNs on the client side, just obtaining the
cert via openssl
I suggest you look up how to do client cert verification in apache in
general.
oh wait..
So when pkg runs, is it trying to just verify the server ( by validating
it's cert )
or is it trying to request the webserver to authenticate it as a client ?
My understanding is it's the former ( just trying to validate the cert )
thanks
- Amol
Just secure a simple directory on your server with it. Once
that works you just put a proxy statement in the Location section for
this directory.
Besides, it looks like the issue is more with apache / ssl than
anything else.
( Not IPS )
You're right, it' not an IPS issue. Try to get it working in general, if
you still have issues with the IPS part afterwards we can go from there.
Erik
thanks
- Amol
Erik
Erik
So you'd create a httpd.conf like this:
---
SSLEngine On
# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key
# intermediate CA cert
SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem
# CA certs for client verification (concatenated in one file)
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem
<Location /private>
SSLVerifyClient require
SSLVerifyDepth 1
# example: only certs with subject [email protected] are allowed
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---
Erik
Thanks
Amol
Brock
However, I would now expect
pkg set-publisher -G '*' -g https://Host:<secure http port> solaris
to work !
But it errors out saying
Framework error: code: 35 reason: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol
Wondering if it's the right set of commands ?
Is the approved-ca-cert meant to work with a reverse proxy in the first place ??
Because looking at the doc, it seems the cert has to be configured with the
actual IPS repo.
please suggest
thx
- Amol
Erik
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] proxy:
http: found worker http://oc-4200m2-42:11000/IPS for
http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running scheme http
handler (attempt 0)
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: HTTP:
serving URL http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: HTTP: has
acquired connection for (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: connecting
http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: connected
/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: HTTP: fam
2 socket created to connect to oc-4200m2-42
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: HTTP:
connection complete to X.X.X.X:11000 (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [error] an unknown filter was not added: DEFLATE
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: start
body send
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: end
body send
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: HTTP: has
released connection for (oc-4200m2-42)
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
