Hi Dave, Scratch my last email - I found: ClientCert.
I use: ClientCert 2 2 to force using a client cert and 2 deep (hopefully mirroring 'SSLVerifyDepth 2' that I had in 141's apache httpd.conf before moving ssl to pound). This gives me the error: Peer does not recognize and trust the CA that issued your certificate. (Error code: ssl_error_unknown_ca_alert) So I'm on the right track but it looks like I need to include CAlist and VerifyList. I read about (and hopefully understood) the difference between these but my trouble begins when trying understand how to correctly create them. For VerifyList, I: openssl x509 -in my_CA.crt -out my_CA.pem For CAlist, I: cat my_CA.pem > my_CA_list.pem These are accepted by pound, but now the browser error I get is: The connection to the server was reset while the page was loading. I think I have the VerifyList pem made properly, but I'm unsure if the CAlist is really just a copy of my_CA.pem (if only one CA is listed as in my situation). Where may I be going wrong above? ________________________________ From: Pound Rproxy <[email protected]> To: [email protected] Sent: Sun, March 13, 2011 5:55:34 PM Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound Thanks Dave, I found my prob (not pound ;-) and things are _partly_ working now - https is working for the first server (lets ignore the second server =) __but__ it doesn't care if I use a private key or not - so anyone can see the self-signed cert, accept it, and visit the site behind it. I'm not sure how to configure pound to check for a private key in the users browser. Before I created the single pem file (from .crt and .key) to use on pound, the machine with the self-signed cert was only visible to client browsers with a private key. This access restriction was created in the apache httpd.conf file with the following: <Directory /> ...normal stuff... <IfDefine SSL> SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and %{SSL_CLIENT_S_DN_OU} in {"CompanyDept"} </IfDefine> </Directory> and: SSLEngine On SSL Cert dirs... ----> SSLVerifyClient require etc The only way I can image doing the same now, would be to run apache on the same server as pound, but I don't want that, and I doubt this would stick for backend servers I want pound to redirect to. Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on the first backend 141? This is the server that did this before I tried pound. The only other option I see is to create the PEM on 141 and move it to the pound server, but again, where does pound require the private key to access the self-signed cert and backends? My goal in using pound is to have one pem file on it, and direct a few restricted users each with a private key to backend servers, all viewed in https. Please keep the suggestions coming, I'm slowing learning here! :D ________________________________ From: Dave Steinberg <[email protected]> To: [email protected] Sent: Sun, March 13, 2011 4:01:46 AM Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound On 3/12/2011 4:18 AM, Pound Rproxy wrote: > I currently have a server that has a self-signed SSL cert and viewing it is > restricted by using a private key that's been exported to Firefox. > I want to put Pound in front of this and 1 other server, so that both are using > the same https listener in pound.cfg and the same private key on the client end > for restricting access. > > My confusion is mostly around where to generate the server.pem for Pound. > Do I generate the server.pem and private browser key on the pound server or > import the server.pem from a backend server? It doesn't matter where they are generated. A PEM file is just a private key + certificate, you can make it anywhere. > If the second option, does this mean I can only have one SSL backend per Pound > instance? You can have many ListenHTTPS directives per pound instance, it has nothing to do with the certificates used. > I'm just at point of testing now (creating keys takes me a while) and have > created a new CA, self-signed cert, pem file, and private key on the Pound > server. > I have commented out all SSL stuff in the Apache httpd.conf files on both > backend servers so now they should just pass http requests back to Pound. > I've tested that each backend resolves with http and without need for a private > key, as I want Pound to handle this. > But I can't get Pound to resolve the backends. Am I doing something wrong or > that isn't possible? > > Here's my pound.cfg so far: > > ListenHTTPS > Address 192.168.1.140 > Port 443 > Cert "/usr/etc/server.pem" > LogLevel 2 > > Service > BackEnd > Address 192.168.1.141 > Port 8080 > End > End > > Service > BackEnd > Address 192.168.1.142 > Port 8083 > End > End > > End Your config looks fine. What happens when you hit it, specifically? Regards, -- Dave Steinberg http://www.geekisp.com/ http://www.steinbergcomputing.com/ http://www.redterror.net/ -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
