On Thu, 2011-04-07 at 17:31 +0200, Sander Eikelenboom wrote: > Hi All, > > I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL and > SNI support. > I have used the same SSL certificates with apache and nginx and they worked > well with the servername in de Common Name field (CN). > > With "pound-2.6c", it doesn't work. Only one SSL certificate works, because > the code seems to compare the wrong item from the certificate to the SNI > servername. > For my certificate it seems to compare the emailadres "[email protected]" > instead of the CN "backup.eikelenboom.it" (that would match the SNI > servername.) > > -- > Sander > > > The info from the certificate: > > root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform > PEM -text > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 7 (0x7) > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT > services, CN=Eikelenboom IT services CA/[email protected] > Validity > Not Before: May 1 16:03:45 2010 GMT > Not After : May 1 16:03:45 2011 GMT > Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT > services, OU=backup, > CN=backup.eikelenboom.it/[email protected] > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > RSA Public Key: (4096 bit) > > <SNIP> > > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Cert Type: > SSL Server > Netscape Comment: > TinyCA Generated Certificate > X509v3 Subject Key Identifier: > 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 > X509v3 Authority Key Identifier: > > keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 > DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT > services/CN=Eikelenboom IT services CA/[email protected] > serial:A8:CF:55:3F:39:E2:FB:60 > > X509v3 Issuer Alternative Name: > email:[email protected] > X509v3 Subject Alternative Name: > email:[email protected] > Signature Algorithm: sha1WithRSAEncryption > > <SNIP> > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions.
I must admit this is the first time that I see a certififcate in this format (CN=backup.eikelenboom.it/[email protected]). Is this a normal server certificate (as opposed to an "EMail-only" certificate)? As a self-signed certificate, I suppose you can do whatever you want. I am not even sure that this is legal: what exactly is the CN? I would say it depends on what parser you use, but it could be backup.eikelenboom.it or backup.eikelenboom.it/emailAddress or even backup.eikelenboom.it/[email protected]. Could people on the list please check their "official" certificates to see if this is normal practice? -- Robert Segall Apsis GmbH Postfach, Uetikon am See, CH-8707 Tel: +41-32-512 30 19 -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
