On Tue, May 25, 2010 at 10:29 AM, Jose Negreira <[email protected]> wrote: > Hi Joe > > we are using a pre-compiled pound package from a solaris repository: > http://www.blastwave.org/jir/pkgcontents.ftd?softwarepound2&stylebrief&state5&archsparc > we download the binaries for sparc or intel machine accordingly. > The information about the package: > software pound2 > pkgname CSWpound2 > description 2.x branch of the Pound reverse proxy, load balancer and > HTTPS front-end for Web server(s) > vendor url http://www.apsis.ch/pound/ > version 2.4.4 > revision 2009-01-15 > > The apache configuration to add the certificate in the HEADER that > goes to the pound is: > in general config: > SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars +StrictRequire > RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e > in the location that goes through the pound > <Location /application/html/acceso> > SSLVerifyClient require > SSLVerifyDepth 10 > SSLOptions +StdEnvVars +ExportCertData > ProxyPass http://localhost:50238/application/html/acceso > ProxyPassReverse http://localhost:50238/application/html/acceso > </Location> > > best regards > José > > > > On Tue, May 25, 2010 at 12:40 AM, Joe Gooch <[email protected]> wrote: >> What options did you give to configure when you compiled pound? (line >> 6-8ish of config.log) >> Which HTTP header contains the certificate? >> >> Thanks. >> Joe >> >> Confidentiality Notice: >> This e-mail transmission may contain confidential and legally privileged >> information that is intended only for the individual named in the e-mail >> address. If you are not the intended recipient, you are hereby notified that >> any disclosure, copying, distribution, or reliance upon the contents of this >> e-mail message is strictly prohibited. If you have received this e-mail >> transmission in error, please reply to the sender, so that proper delivery >> can be arranged, and please delete the message from your mail box. >> >>> -----Original Message----- >>> From: Jose Negreira [mailto:[email protected]] >>> Sent: Monday, May 24, 2010 6:22 PM >>> To: [email protected] >>> Subject: [Pound Mailing List] http header 2048 bytes certificate >>> truncated by pound >>> >>> Hi >>> we are from Galicia, a region in northwest of Spain. >>> We are using pound balancer and I would like to subscribe the >>> mailinglist >>> in order to try to get some help with http header certificates through >>> pound. >>> >>> In our tests it seems certificates of 2048 bytes (like id card from >>> Spain) >>> are trucated when passing through pound (lost 53 bytes) at http header. >>> Pound is listening just http, no https. >>> Other http header certificates (of 1024 bytes long) goes through pound >>> without problem. >>> If I remove the pound between apache and backend, 2048 bytes >>> certificates then work. >>> >>> the configuration is simply: >>> >>> #balancer for webspace >>> ListenHTTP >>> Address localhost >>> Port 50328 >>> Service >>> BackEnd >>> Address 10.61.10.53 >>> Port 28082 >>> Timeout 180 >>> Priority 5 >>> End >>> Emergency >>> Address 10.61.10.63 >>> Port 28082 >>> End >>> End >>> End >>> >>> >>> many thanks in advance >>> >>> Jose Negreira >>> Xunta de Galicia >>> Spain >>> >>> -- >>> To unsubscribe send an email with subject unsubscribe to >>> [email protected]. >>> Please contact [email protected] for questions. >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. >> > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. >
Hi the problem was the problematic pound be an old version (v2.1 on redhat). The Solaris version (v2.4.4) works fine with the 2048Kbytes certificate. So, the solution is an unpgrade. bye -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
