On Wed, 2011-07-27 at 10:32 -0700, Amol Chiplunkar wrote: > > On 7/27/2011 10:16 AM, Erik Trauschke wrote: > > On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote: > > > >>> Well, do your certs have the CNs properly set? > >>> > >> How do I ensure that ? > >> I am not even setting the CNs on the client side, just obtaining the > >> cert via openssl > > I suggest you look up how to do client cert verification in apache in > > general. > oh wait.. > So when pkg runs, is it trying to just verify the server ( by validating > it's cert ) > or is it trying to request the webserver to authenticate it as a client ? > > My understanding is it's the former ( just trying to validate the cert )
Both is happening. The client is verifying the servers cert against it's stored CA certs. The server is verifying the cert the client presents to it to verify if the user is allowed to have access to this location. I don't know what you are trying to achieve but if you just want to have SSL-protected pkg transfers you don't need client verification. This is just required if you want to limit access to users with the right cert. Erik > > thanks > - Amol > > > Just secure a simple directory on your server with it. Once > > that works you just put a proxy statement in the Location section for > > this directory. > > > >> Besides, it looks like the issue is more with apache / ssl than > >> anything else. > >> ( Not IPS ) > > You're right, it' not an IPS issue. Try to get it working in general, if > > you still have issues with the IPS part afterwards we can go from there. > > > > Erik > > > > > >> thanks > >> - Amol > >> > >> > >> > >>> Erik > >>> > >>> > >>>> > >>>> > >>>>> Erik > >>>>> > >>>>> > >>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>> > >>>>>>> So you'd create a httpd.conf like this: > >>>>>>> --- > >>>>>>> SSLEngine On > >>>>>>> > >>>>>>> # Cert paths > >>>>>>> SSLCertificateFile /path/to/apache2/certs/server.crt > >>>>>>> SSLCertificateKeyFile /path/to/apache2/certs/server.key > >>>>>>> > >>>>>>> # intermediate CA cert > >>>>>>> SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem > >>>>>>> > >>>>>>> # CA certs for client verification (concatenated in one file) > >>>>>>> SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem > >>>>>>> > >>>>>>> # CRL (optional) > >>>>>>> SSLCARevocationFile /path/to/apache2/certs/crl.pem > >>>>>>> > >>>>>>> <Location /private> > >>>>>>> SSLVerifyClient require > >>>>>>> SSLVerifyDepth 1 > >>>>>>> # example: only certs with subject [email protected] are allowed > >>>>>>> SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ ) > >>>>>>> ProxyPass http://depot_server:12345 nocanon max=500 > >>>>>>> </Location> > >>>>>>> --- > >>>>>>> > >>>>>>> Erik > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> Thanks > >>>>>>>> Amol > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> Brock > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> However, I would now expect > >>>>>>>>>> pkg set-publisher -G '*' -g https://Host:<secure http port> > >>>>>>>>>> solaris > >>>>>>>>>> to work ! > >>>>>>>>>> But it errors out saying > >>>>>>>>>> Framework error: code: 35 reason: error:140770FC:SSL > >>>>>>>>>> routines:SSL23_GET_SERVER_HELLO:unknown protocol > >>>>>>>>>> > >>>>>>>>>> Wondering if it's the right set of commands ? > >>>>>>>>>> Is the approved-ca-cert meant to work with a reverse proxy in the > >>>>>>>>>> first place ?? > >>>>>>>>>> Because looking at the doc, it seems the cert has to be configured > >>>>>>>>>> with the actual IPS repo. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> please suggest > >>>>>>>>>> > >>>>>>>>>> thx > >>>>>>>>>> - Amol > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Erik > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: > >>>>>>>>>>>> HTTP: > >>>>>>>>>>>> canonicalising URL //oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] > >>>>>>>>>>>> proxy: > >>>>>>>>>>>> http: found worker http://oc-4200m2-42:11000/IPS for > >>>>>>>>>>>> http://oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running > >>>>>>>>>>>> scheme http > >>>>>>>>>>>> handler (attempt 0) > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): > >>>>>>>>>>>> proxy: HTTP: > >>>>>>>>>>>> serving URL http://oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: > >>>>>>>>>>>> HTTP: has > >>>>>>>>>>>> acquired connection for (oc-4200m2-42) > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: > >>>>>>>>>>>> connecting > >>>>>>>>>>>> http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000 > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: > >>>>>>>>>>>> connected > >>>>>>>>>>>> /IPSversions/0/ to oc-4200m2-42:11000 > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: > >>>>>>>>>>>> HTTP: fam > >>>>>>>>>>>> 2 socket created to connect to oc-4200m2-42 > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: > >>>>>>>>>>>> HTTP: > >>>>>>>>>>>> connection complete to X.X.X.X:11000 (oc-4200m2-42) > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [error] an unknown filter was not > >>>>>>>>>>>> added: DEFLATE > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): > >>>>>>>>>>>> proxy: start > >>>>>>>>>>>> body send > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): > >>>>>>>>>>>> proxy: end > >>>>>>>>>>>> body send > >>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: > >>>>>>>>>>>> HTTP: has > >>>>>>>>>>>> released connection for (oc-4200m2-42) > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>>>> [email protected] > >>>>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>> _______________________________________________ > >>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>> [email protected] > >>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>> _______________________________________________ > >>>>>>>>> pkg-discuss mailing list > >>>>>>>>> [email protected] > >>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>> _______________________________________________ > >>>>>>>> pkg-discuss mailing list > >>>>>>>> [email protected] > >>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>> > >>> > >>> > > _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
