It's a self-signed certificate, produced by TinyCA2 which is a wrapper around Openssl. After adjusting the code, so it's not using deprecated methods from openssl, it derives the CN properly (only the CN backup.eikelenboom.it without the mailaddress)
The same certificate is parsed OK by apache and nginx Only problem now is the part of the code that stores the CN when the config gets parsed. It seems it only stores the first and last certificate, the rest is omitted or overwritten somehow. -- Sander Monday, April 11, 2011, 10:23:41 AM, you wrote: > On Thu, 2011-04-07 at 17:31 +0200, Sander Eikelenboom wrote: >> Hi All, >> >> I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL >> and SNI support. >> I have used the same SSL certificates with apache and nginx and they worked >> well with the servername in de Common Name field (CN). >> >> With "pound-2.6c", it doesn't work. Only one SSL certificate works, because >> the code seems to compare the wrong item from the certificate to the SNI >> servername. >> For my certificate it seems to compare the emailadres >> "[email protected]" instead of the CN "backup.eikelenboom.it" (that >> would match the SNI servername.) >> >> -- >> Sander >> >> >> The info from the certificate: >> >> root@webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform >> PEM -text >> >> Certificate: >> Data: >> Version: 3 (0x2) >> Serial Number: 7 (0x7) >> Signature Algorithm: sha1WithRSAEncryption >> Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT >> services, CN=Eikelenboom IT services CA/[email protected] >> Validity >> Not Before: May 1 16:03:45 2010 GMT >> Not After : May 1 16:03:45 2011 GMT >> Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT >> services, OU=backup, >> CN=backup.eikelenboom.it/[email protected] >> Subject Public Key Info: >> Public Key Algorithm: rsaEncryption >> RSA Public Key: (4096 bit) >> >> <SNIP> >> >> X509v3 extensions: >> X509v3 Basic Constraints: >> CA:FALSE >> Netscape Cert Type: >> SSL Server >> Netscape Comment: >> TinyCA Generated Certificate >> X509v3 Subject Key Identifier: >> 44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09 >> X509v3 Authority Key Identifier: >> >> keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7 >> DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT >> services/CN=Eikelenboom IT services CA/[email protected] >> serial:A8:CF:55:3F:39:E2:FB:60 >> >> X509v3 Issuer Alternative Name: >> email:[email protected] >> X509v3 Subject Alternative Name: >> email:[email protected] >> Signature Algorithm: sha1WithRSAEncryption >> >> <SNIP> >> >> >> -- >> To unsubscribe send an email with subject unsubscribe to [email protected]. >> Please contact [email protected] for questions. > I must admit this is the first time that I see a certififcate in this > format (CN=backup.eikelenboom.it/[email protected]). Is > this a normal server certificate (as opposed to an "EMail-only" > certificate)? As a self-signed certificate, I suppose you can do > whatever you want. I am not even sure that this is legal: what exactly > is the CN? I would say it depends on what parser you use, but it could > be backup.eikelenboom.it or backup.eikelenboom.it/emailAddress or even > backup.eikelenboom.it/[email protected]. > Could people on the list please check their "official" certificates to > see if this is normal practice? -- Best regards, Sander mailto:[email protected] -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
