Apparently the client certificate validation in Pound v2.1 is broken (in my case), while it works readily in the current release v2.4.3.
I would like to know why because the v2.1 Pound I am using has some custom patches I would prefer not to have to port to v2.4.3. To test I built: v2.1 patched v2.1 unmodified v2.4.3 unmodified and tried all of these with the same Pound config file. Only the 2.4.3 version works. The problems I encountered with v2.1 are identical to those described by Eckard Koch in a previous thread (http://www.apsis.ch/pound/pound_list/archive/2006/2006-02/1140153406000) Any insight into how to correct this in v2.1 would be appreciated. It may be that I have done something wrong (which works in v2.4.3)? In my case the CA used to sign the client certs is self-created and is the only CA in both CAlist and VerifyList. Details below. Thank you, Stephen Quintero DETAILS: The config file is: User "nobody" Group "nobody" Daemon 1 LogLevel 0 Alive 10 Service BackEnd Address http Port 80 TimeOut 300 End End ListenHTTPS Address 192.168.123.74 Port 443 Client 20 Cert "/mnt/key/server.pem" HeadRemove "X-Forwarded-Proto" AddHeader "X-Forwarded-Proto: https" ClientCert 2 1 CAlist "/mnt/key/CAlist.pem" VerifyList "/mnt/key/VerifyList.pem" End ListenHTTP Address 192.168.123.74 Port 80 Client 15 RewriteLocation 0 Service BackEnd Address 127.0.0.1 Port 80 End End End The CA and certs were generated with OpenSSL as follows: To create the CA: mkdir demoCA mkdir demoCA/private openssl genrsa -des3 -out demoCA/private/CA_key.pem 2048 openssl req -new -key demoCA/private/CA_key.pem -x509 -days 365 -out demoCA/CA_cert.cer To make a signed client cert: openssl genrsa -out clientA_privkey.pem 2048 openssl req -new -key clientA_privkey.pem -out clientA_request.csr openssl x509 -req -days 365 -in clientA_request.csr -CA demoCA/CA_cert.cer -CAkey demoCA/private/CA_key.pem -CAcreateserial -out clientA.cer To combine client key and cert and convert to pkcs12 format (for FireFox): openssl pkcs12 -export -in clientA.cer -inkey clientA_privkey.pem -out clientA.p12 To create CAlist.pem (which is identical to VerifyList.pem): cat demoCA/private/CA_key.pem demoCA/CA_cert.cer > CAlist.pem To test the SSL handshake from a remote server: openssl s_client -host 192.168.123.74 -port 443 -showcerts -ssl3 -cert clientA.cer -key clientA_privkey.pem -state -- To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED] Please contact [EMAIL PROTECTED] for questions.
