If you remove the fnmatch and replace it with strcasecmp, then wildcard certificates won't match. (i.e. www.domain.org won't match a *.domain.org certificate)
I'll look further at the X509 stuff. Joe > -----Original Message----- > From: Sander Eikelenboom [mailto:[email protected]] > Sent: Friday, April 08, 2011 3:57 AM > To: [email protected] > Cc: [email protected] > Subject: Re: [Pound Mailing List] pound-2.6c multiple SSL certificates, > comparing servername to wrong SLL certificate field ? > > Seems i have fixed it. > The problem is that the current code assumes the "commonname" to be the > last item of the Subject, which isn't always true. > The code now should also support multiple CN's in a certificate. > > Patch is attached, please review, since C isn't my normal programming > language. > > -- > Sander > > > > Thursday, April 7, 2011, 5:31:24 PM, you wrote: > > > Hi All, > > > I'm trying to use Pound as a reverse proxy to multiple apache's, with > SSL and SNI support. > > I have used the same SSL certificates with apache and nginx and they > worked well with the servername in de Common Name field (CN). > > > With "pound-2.6c", it doesn't work. Only one SSL certificate works, > because the code seems to compare the wrong item from the certificate > to the SNI servername. > > For my certificate it seems to compare the emailadres > "[email protected]" instead of the CN "backup.eikelenboom.it" (that > would match the SNI servername.) > > > -- > > Sander > > > > The info from the certificate: > > > root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt > -inform PEM -text > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 7 (0x7) > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT > services, CN=Eikelenboom IT services > CA/[email protected] > > Validity > > Not Before: May 1 16:03:45 2010 GMT > > Not After : May 1 16:03:45 2011 GMT > > Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom > IT services, OU=backup, > CN=backup.eikelenboom.it/[email protected] > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (4096 bit) > > > <SNIP> > > > X509v3 extensions: > > X509v3 Basic Constraints: > > CA:FALSE > > Netscape Cert Type: > > SSL Server > > Netscape Comment: > > TinyCA Generated Certificate > > X509v3 Subject Key Identifier: > > > 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 > > X509v3 Authority Key Identifier: > > > keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 > > DirName:/C=NL/ST=Noord- > Brabant/L=Eindhoven/O=Eikelenboom IT services/CN=Eikelenboom IT > services CA/[email protected] > > serial:A8:CF:55:3F:39:E2:FB:60 > > > X509v3 Issuer Alternative Name: > > email:[email protected] > > X509v3 Subject Alternative Name: > > email:[email protected] > > Signature Algorithm: sha1WithRSAEncryption > > > <SNIP> > > > > -- > > To unsubscribe send an email with subject unsubscribe to > [email protected]. > > Please contact [email protected] for questions. > > > > -- > Best regards, > Sander mailto:[email protected] -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
