Ok i have reverted the strcasecmp to fnmatch, no segfault so that seems to have
been my imagination.
So the point left to discover is why only the first and last "Cert("")" seem to
be used for the matching (although all certs get parsed on startup)
Friday, April 8, 2011, 7:06:21 PM, you wrote:
> If you remove the fnmatch and replace it with strcasecmp, then wildcard
> certificates won't match. (i.e. www.domain.org won't match a *.domain.org
> certificate)
> I'll look further at the X509 stuff.
> Joe
>> -----Original Message-----
>> From: Sander Eikelenboom [mailto:[email protected]]
>> Sent: Friday, April 08, 2011 3:57 AM
>> To: [email protected]
>> Cc: [email protected]
>> Subject: Re: [Pound Mailing List] pound-2.6c multiple SSL certificates,
>> comparing servername to wrong SLL certificate field ?
>>
>> Seems i have fixed it.
>> The problem is that the current code assumes the "commonname" to be the
>> last item of the Subject, which isn't always true.
>> The code now should also support multiple CN's in a certificate.
>>
>> Patch is attached, please review, since C isn't my normal programming
>> language.
>>
>> --
>> Sander
>>
>>
>>
>> Thursday, April 7, 2011, 5:31:24 PM, you wrote:
>>
>> > Hi All,
>>
>> > I'm trying to use Pound as a reverse proxy to multiple apache's, with
>> SSL and SNI support.
>> > I have used the same SSL certificates with apache and nginx and they
>> worked well with the servername in de Common Name field (CN).
>>
>> > With "pound-2.6c", it doesn't work. Only one SSL certificate works,
>> because the code seems to compare the wrong item from the certificate
>> to the SNI servername.
>> > For my certificate it seems to compare the emailadres
>> "[email protected]" instead of the CN "backup.eikelenboom.it" (that
>> would match the SNI servername.)
>>
>> > --
>> > Sander
>>
>>
>> > The info from the certificate:
>>
>> > root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt
>> -inform PEM -text
>>
>> > Certificate:
>> > Data:
>> > Version: 3 (0x2)
>> > Serial Number: 7 (0x7)
>> > Signature Algorithm: sha1WithRSAEncryption
>> > Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT
>> services, CN=Eikelenboom IT services
>> CA/[email protected]
>> > Validity
>> > Not Before: May 1 16:03:45 2010 GMT
>> > Not After : May 1 16:03:45 2011 GMT
>> > Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom
>> IT services, OU=backup,
>> CN=backup.eikelenboom.it/[email protected]
>> > Subject Public Key Info:
>> > Public Key Algorithm: rsaEncryption
>> > RSA Public Key: (4096 bit)
>>
>> > <SNIP>
>>
>> > X509v3 extensions:
>> > X509v3 Basic Constraints:
>> > CA:FALSE
>> > Netscape Cert Type:
>> > SSL Server
>> > Netscape Comment:
>> > TinyCA Generated Certificate
>> > X509v3 Subject Key Identifier:
>> >
>> 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09
>> > X509v3 Authority Key Identifier:
>> >
>> keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7
>> > DirName:/C=NL/ST=Noord-
>> Brabant/L=Eindhoven/O=Eikelenboom IT services/CN=Eikelenboom IT
>> services CA/[email protected]
>> > serial:A8:CF:55:3F:39:E2:FB:60
>>
>> > X509v3 Issuer Alternative Name:
>> > email:[email protected]
>> > X509v3 Subject Alternative Name:
>> > email:[email protected]
>> > Signature Algorithm: sha1WithRSAEncryption
>>
>> > <SNIP>
>>
>>
>> > --
>> > To unsubscribe send an email with subject unsubscribe to
>> [email protected].
>> > Please contact [email protected] for questions.
>>
>>
>>
>> --
>> Best regards,
>> Sander mailto:[email protected]
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
--
Best regards,
Sander mailto:[email protected]
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
