Hi All, I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL and SNI support. I have used the same SSL certificates with apache and nginx and they worked well with the servername in de Common Name field (CN).
With "pound-2.6c", it doesn't work. Only one SSL certificate works, because the code seems to compare the wrong item from the certificate to the SNI servername. For my certificate it seems to compare the emailadres "[email protected]" instead of the CN "backup.eikelenboom.it" (that would match the SNI servername.) -- Sander The info from the certificate: root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform PEM -text Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha1WithRSAEncryption Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT services, CN=Eikelenboom IT services CA/[email protected] Validity Not Before: May 1 16:03:45 2010 GMT Not After : May 1 16:03:45 2011 GMT Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT services, OU=backup, CN=backup.eikelenboom.it/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) <SNIP> X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 X509v3 Authority Key Identifier: keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT services/CN=Eikelenboom IT services CA/[email protected] serial:A8:CF:55:3F:39:E2:FB:60 X509v3 Issuer Alternative Name: email:[email protected] X509v3 Subject Alternative Name: email:[email protected] Signature Algorithm: sha1WithRSAEncryption <SNIP> -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
