And...
now scratch my last email too as I found I was using an old client cert! LOL
(Slaps forehead!)
All is working perfectly now, though I wish I could use the following that I
had
in Apache's httpd.conf:
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
It added another level of security in checking the uniqueness of client certs.
But I'm waaay impressed by Pound and what it can do - client cert auth handled
by Pound is so cool and saves me so much fuss with backend auths. :D
(Now to post another email asking how to redirect in the way I need to the
second backend without changing the docroot on that server. =)
Thanks!
________________________________
From: Pound Rproxy <[email protected]>
To: [email protected]
Sent: Mon, March 14, 2011 1:12:20 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Hi Dave,
Scratch my last email - I found: ClientCert.
I use:
ClientCert 2 2
to force using a client cert and 2 deep (hopefully mirroring 'SSLVerifyDepth
2'
that I had in 141's apache httpd.conf before moving ssl to pound).
This gives me the error:
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)
So I'm on the right track but it looks like I need to include CAlist and
VerifyList.
I read about (and hopefully understood) the difference between these but my
trouble begins when trying understand how to correctly create them.
For VerifyList, I:
openssl x509 -in my_CA.crt -out my_CA.pem
For CAlist, I:
cat my_CA.pem > my_CA_list.pem
These are accepted by pound, but now the browser error I get is:
The connection to the server was reset while the page was loading.
I think I have the VerifyList pem made properly, but I'm unsure if the CAlist
is
really just a copy of my_CA.pem (if only one CA is listed as in my situation).
Where may I be going wrong above?
________________________________
From: Pound Rproxy <[email protected]>
To: [email protected]
Sent: Sun, March 13, 2011 5:55:34 PM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
Thanks Dave,
I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =)
__but__ it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:
<Directory />
...normal stuff...
<IfDefine SSL>
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} req "CompanyName" and
%{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>
and:
SSLEngine On
SSL Cert dirs...
----> SSLVerifyClient require
etc
The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for
backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the
pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.
Please keep the suggestions coming, I'm slowing learning here! :D
________________________________
From: Dave Steinberg <[email protected]>
To: [email protected]
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound
On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?
It doesn't matter where they are generated. A PEM file is just a
private key + certificate, you can make it anywhere.
> If the second option, does this mean I can only have one SSL backend per Pound
> instance?
You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.
> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
> Address 192.168.1.140
> Port 443
> Cert "/usr/etc/server.pem"
> LogLevel 2
>
> Service
> BackEnd
> Address 192.168.1.141
> Port 8080
> End
> End
>
> Service
> BackEnd
> Address 192.168.1.142
> Port 8083
> End
> End
>
> End
Your config looks fine. What happens when you hit it, specifically?
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
