i've created my own CA ssl cert (CAcert.pem), and server cert (cert.pem).
verifying,
openssl verify -verbose -CAfile /svr/ssl/CAcert.pem -purpose
sslserver /svr/ssl/cert.pem
cert.pem: OK
(and, fwiw, both are used without problem in other applications ...)
in /etc/pound.cfg, i've
...
ListenHTTPS
Address xx.xx.xx.xx
Port 443
Cert "/svr/ssl/cert.pem"
Ciphers "AES256-SHA"
VerifyList "/svr/ssl/CAcert.pem"
106 CAlist "/svr/ssl/CAcert.pem"
ClientCert 0 1
Service
URL ".*"
HeadRequire "Host:.*test.mydomain.com.*"
BackEnd
Address 127.0.0.1
Port 8043
End
End
End
...
@ pound service start, i get an error,
line 106: SSL_load_client_CA_file "/svr/ssl/CAcert.pem" failed - aborted
error:0906D06C:PEM routines:PEM_read_bio:no start line
and pound fails to launch.
if i comment out line_No 106,
-- CAlist "/svr/ssl/CAcert.pem"
++ #CAlist "/svr/ssl/CAcert.pem"
pound launches without error, and i can connect just fine (btw,
Firefox @ client, with the CA loaded, recognizes the site's cert as
valid)
but, of course, without the CAlist spec, i can't get ClientCert
checking working.
known bug? or, suggestions as to the problem?
thanks!
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
