On Wed, 2010-03-24 at 22:19 -0700, PGNet Dev wrote: > i've created my own CA ssl cert (CAcert.pem), and server cert (cert.pem). > > verifying, > > openssl verify -verbose -CAfile /svr/ssl/CAcert.pem -purpose > sslserver /svr/ssl/cert.pem > cert.pem: OK > > (and, fwiw, both are used without problem in other applications ...) > > in /etc/pound.cfg, i've > > ... > ListenHTTPS > Address xx.xx.xx.xx > Port 443 > Cert "/svr/ssl/cert.pem" > Ciphers "AES256-SHA" > VerifyList "/svr/ssl/CAcert.pem" > 106 CAlist "/svr/ssl/CAcert.pem" > ClientCert 0 1 > Service > URL ".*" > HeadRequire "Host:.*test.mydomain.com.*" > BackEnd > Address 127.0.0.1 > Port 8043 > End > End > End > ... > > @ pound service start, i get an error, > > line 106: SSL_load_client_CA_file "/svr/ssl/CAcert.pem" failed - aborted > error:0906D06C:PEM routines:PEM_read_bio:no start line > > and pound fails to launch. > > if i comment out line_No 106, > > -- CAlist "/svr/ssl/CAcert.pem" > ++ #CAlist "/svr/ssl/CAcert.pem" > > pound launches without error, and i can connect just fine (btw, > Firefox @ client, with the CA loaded, recognizes the site's cert as > valid) > > but, of course, without the CAlist spec, i can't get ClientCert > checking working. > > known bug? or, suggestions as to the problem?
Most likely your CA certificate is not in PEM format. Have a look if it contains something like -----BEGIN CERTIFICATE----- MIICczCCAdygAwIBAgIBADANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJDSDEL ... lTHD0JXi1g== -----END CERTIFICATE----- BTW, the CAlist has nothing to do with the client certificate authentication, but rather it tells the client which of its certificates to present if it has more than one. -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
