Seems i have fixed it. The problem is that the current code assumes the "commonname" to be the last item of the Subject, which isn't always true. The code now should also support multiple CN's in a certificate.
Patch is attached, please review, since C isn't my normal programming language. -- Sander Thursday, April 7, 2011, 5:31:24 PM, you wrote: > Hi All, > I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL and > SNI support. > I have used the same SSL certificates with apache and nginx and they worked > well with the servername in de Common Name field (CN). > With "pound-2.6c", it doesn't work. Only one SSL certificate works, because > the code seems to compare the wrong item from the certificate to the SNI > servername. > For my certificate it seems to compare the emailadres "[email protected]" > instead of the CN "backup.eikelenboom.it" (that would match the SNI > servername.) > -- > Sander > The info from the certificate: > root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform > PEM -text > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 7 (0x7) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT > services, CN=Eikelenboom IT services CA/[email protected] > Validity > Not Before: May 1 16:03:45 2010 GMT > Not After : May 1 16:03:45 2011 GMT > Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT > services, OU=backup, > CN=backup.eikelenboom.it/[email protected] > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (4096 bit) > <SNIP> > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > Netscape Comment: > TinyCA Generated Certificate > X509v3 Subject Key Identifier: > 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 > X509v3 Authority Key Identifier: > > keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 > DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT > services/CN=Eikelenboom IT services CA/[email protected] > serial:A8:CF:55:3F:39:E2:FB:60 > X509v3 Issuer Alternative Name: > email:[email protected] > X509v3 Subject Alternative Name: > email:[email protected] > Signature Algorithm: sha1WithRSAEncryption > <SNIP> > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. -- Best regards, Sander mailto:[email protected]
patch.diff
Description: Binary data
