Ah didn't think of the wildcard case, stupid of me ... But the fnmatch seemed to result in a segfault while matching. Seems i still have a problem, initially it seems to parse all 4 certificates from the config file. While matching, there only seem to be 2 left (the first and the last)
Friday, April 8, 2011, 7:06:21 PM, you wrote: > If you remove the fnmatch and replace it with strcasecmp, then wildcard > certificates won't match. (i.e. www.domain.org won't match a *.domain.org > certificate) > I'll look further at the X509 stuff. > Joe >> -----Original Message----- >> From: Sander Eikelenboom [mailto:[email protected]] >> Sent: Friday, April 08, 2011 3:57 AM >> To: [email protected] >> Cc: [email protected] >> Subject: Re: [Pound Mailing List] pound-2.6c multiple SSL certificates, >> comparing servername to wrong SLL certificate field ? >> >> Seems i have fixed it. >> The problem is that the current code assumes the "commonname" to be the >> last item of the Subject, which isn't always true. >> The code now should also support multiple CN's in a certificate. >> >> Patch is attached, please review, since C isn't my normal programming >> language. >> >> -- >> Sander >> >> >> >> Thursday, April 7, 2011, 5:31:24 PM, you wrote: >> >> > Hi All, >> >> > I'm trying to use Pound as a reverse proxy to multiple apache's, with >> SSL and SNI support. >> > I have used the same SSL certificates with apache and nginx and they >> worked well with the servername in de Common Name field (CN). >> >> > With "pound-2.6c", it doesn't work. Only one SSL certificate works, >> because the code seems to compare the wrong item from the certificate >> to the SNI servername. >> > For my certificate it seems to compare the emailadres >> "[email protected]" instead of the CN "backup.eikelenboom.it" (that >> would match the SNI servername.) >> >> > -- >> > Sander >> >> >> > The info from the certificate: >> >> > root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt >> -inform PEM -text >> >> > Certificate: >> > Data: >> > Version: 3 (0x2) >> > Serial Number: 7 (0x7) >> > Signature Algorithm: sha1WithRSAEncryption >> > Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT >> services, CN=Eikelenboom IT services >> CA/[email protected] >> > Validity >> > Not Before: May 1 16:03:45 2010 GMT >> > Not After : May 1 16:03:45 2011 GMT >> > Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom >> IT services, OU=backup, >> CN=backup.eikelenboom.it/[email protected] >> > Subject Public Key Info: >> > Public Key Algorithm: rsaEncryption >> > RSA Public Key: (4096 bit) >> >> > <SNIP> >> >> > X509v3 extensions: >> > X509v3 Basic Constraints: >> > CA:FALSE >> > Netscape Cert Type: >> > SSL Server >> > Netscape Comment: >> > TinyCA Generated Certificate >> > X509v3 Subject Key Identifier: >> > >> 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 >> > X509v3 Authority Key Identifier: >> > >> keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 >> > DirName:/C=NL/ST=Noord- >> Brabant/L=Eindhoven/O=Eikelenboom IT services/CN=Eikelenboom IT >> services CA/[email protected] >> > serial:A8:CF:55:3F:39:E2:FB:60 >> >> > X509v3 Issuer Alternative Name: >> > email:[email protected] >> > X509v3 Subject Alternative Name: >> > email:[email protected] >> > Signature Algorithm: sha1WithRSAEncryption >> >> > <SNIP> >> >> >> > -- >> > To unsubscribe send an email with subject unsubscribe to >> [email protected]. >> > Please contact [email protected] for questions. >> >> >> >> -- >> Best regards, >> Sander mailto:[email protected] > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. -- Best regards, Sander mailto:[email protected] -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
