Re: [Pound Mailing List] --enable-cert1l results in complaints about line too long.

Fri, 21 Nov 2008 09:28:20 -0800 

On Thu, Nov 6, 2008 at 12:19 PM, Nigel Kersten <[EMAIL PROTECTED]> wrote:

>> If you look at the source, you'll notice that the certificate is written
>> to the back-end regardless of line length. The message you see is
>> generated when Pound see a certificate-type line on input, which should
>> never happen.
>>
>> I suggest you sniff the sockets between the client and Pound, as well as
>> Pound to back-end, to see where the header is generated. We'll take it
>> from there.
>
>
> I don't believe this is what's happening in my case Robert. I've
> double checked the traffic and there's no certificate type header
> being sent on input.
>
> If you would like I can send you some decoded ssl traffic off-list.
>
>
> Perhaps this might clarify things.
>
> From adding a few debug statements, here are where the various
> complaints in get_line() are being called from:
>
> pound: (40081960) line too long:         CN =
> 77bd8e13-8851-4d7e-befd-0ee55dd8b014 [1024]
>
> is triggered from this section of code in http.c around line 893 in Pound 
> 2.4.3
>
>        /* if SSL put additional headers for client certificate */
>        if(cur_backend->be_type == 0 && ssl != NULL) {
>            SSL_CIPHER  *cipher;
>
>            if(lstn->clnt_check > 0 && x509 != NULL && (bb =
> BIO_new(BIO_s_mem())) != NULL) {
>                X509_NAME_print_ex(bb, X509_get_subject_name(x509), 8,
> XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
>                get_line(bb, buf, MAXBUF);
>
>
> this log line:
>
> pound: (40081960) line too long:         CN =
> sshoveler.mtv.corp.google.com [1024]
>
> is triggered from line 911:
>
>                X509_NAME_print_ex(bb, X509_get_issuer_name(x509), 8,
> XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
>                get_line(bb, buf, MAXBUF);
>
>
> this log line:
>
> pound: (40081960) line too long: Oct 23 16:45:22 2008 GMT [1024]
>
> from line 924:
>
>                ASN1_TIME_print(bb, X509_get_notBefore(x509));
>                get_line(bb, buf, MAXBUF);
>
> and this log line:
>
> pound: (40081960) line too long: Oct 22 16:45:22 2013 GMT [1024]
>
> from line 937:
>
>                ASN1_TIME_print(bb, X509_get_notAfter(x509));
>                get_line(bb, buf, MAXBUF);
>

Did that provide any useful info Robert?

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--
To unsubscribe send an email with subject unsubscribe to [EMAIL PROTECTED]
Please contact [EMAIL PROTECTED] for questions.

Reply via email to