Change for(pc = res->ctx; res->next; res = res->next) To: for(pc = res->ctx; res->next; pc = res->next)
And retest. Joe > -----Original Message----- > From: Sander Eikelenboom [mailto:[email protected]] > Sent: Monday, April 11, 2011 1:29 PM > To: Robert Segall > Cc: [email protected] > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and > load balancer - v2.6d > > Hi Robert, > > The parsing of the CN name is OK now, as i said earlier there still is > a problem only the first and last certificate seems to be matched, > although all are parsed from the config file without error. > > -- > Sander > > > When pound starts: > Starting reverse proxy and load balancer: poundstarting... > CN=<backup.eikelenboom.it> > CN=<git.eikelenboom.it> > CN=<davical.eikelenboom.it> > CN=<security.eikelenboom.it> > > So all have been parsed OK. > > > > Below the log after applying the patch below: > > root@webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c > config.c > --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200 > +++ config.c 2011-04-11 19:20:00.000000000 +0200 > @@ -795,18 +795,19 @@ > return SSL_TLSEXT_ERR_NOACK; > > /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s", > servername); */ > > SSL_set_SSL_CTX(ssl, NULL); > - for(pc = ctx; pc; pc = pc->next) > + for(pc = ctx; pc; pc = pc->next){ > + logmsg(LOG_DEBUG, "try to match pc->server_name %s to > server_name %s",pc->server_name,server_name); > if(fnmatch(pc->server_name, server_name, 0) == 0) { > /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */ > SSL_set_SSL_CTX(ssl, pc->ctx); > return SSL_TLSEXT_ERR_OK; > } > - > - /* logmsg(LOG_DEBUG, "No match for %s, default used", > server_name); */ > + } > + logmsg(LOG_DEBUG, "No match for %s, default used", server_name); > SSL_set_SSL_CTX(ssl, ctx->ctx); > return SSL_TLSEXT_ERR_OK; > } > #endif > > > > Here you see the output when iterating through the certificates, only > the first and last present. > > Apr 11 19:21:46 webproxy pound: try to match pc->server_name > backup.eikelenboom.it to server_name davical.eikelenboom.it > Apr 11 19:21:46 webproxy pound: try to match pc->server_name > security.eikelenboom.it to server_name davical.eikelenboom.it > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it, > default used > > > > > Probably the parsing code isn't storing the certificates properly in > the variable or overwriting them somewhere in: > > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB > /* we have support for SNI */ > FILE *fcert; > char server_name[MAXBUF], *cp; > X509 *x509; > > if(has_other) > conf_err("Cert directives MUST precede other SSL- > specific directives - aborted"); > if(res->ctx) { > for(pc = res->ctx; res->next; res = res->next) > ; > if((pc->next = malloc(sizeof(POUND_CTX))) == NULL) > conf_err("ListenHTTPS new POUND_CTX: out of memory > - aborted"); > pc = pc->next; > } else { > if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL) > conf_err("ListenHTTPS new POUND_CTX: out of memory > - aborted"); > pc = res->ctx; > } > if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL) > conf_err("SSL_CTX_new failed - aborted"); > pc->server_name = NULL; > pc->next = NULL; > lin[matches[1].rm_eo] = '\0'; > if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin + > matches[1].rm_so) != 1) > conf_err("SSL_CTX_use_certificate_chain_file failed - > aborted"); > if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + > matches[1].rm_so, SSL_FILETYPE_PEM) != 1) > conf_err("SSL_CTX_use_PrivateKey_file failed - > aborted"); > if(SSL_CTX_check_private_key(pc->ctx) != 1) > conf_err("SSL_CTX_check_private_key failed - aborted"); > if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL) > conf_err("ListenHTTPS: could not open certificate > file"); > if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL) > conf_err("ListenHTTPS: could not get certificate > subject"); > fclose(fcert); > memset(server_name, '\0', MAXBUF); > X509_NAME_oneline(X509_get_subject_name(x509), server_name, > MAXBUF - 1); > X509_free(x509); > if(!regexec(&CNName, server_name, 4, matches, 0)) { > server_name[matches[1].rm_eo] = '\0'; > if((pc->server_name = strdup(server_name + > matches[1].rm_so)) == NULL) > conf_err("ListenHTTPS: could not set certificate > subject"); > } else > conf_err("ListenHTTPS: could not get certificate CN"); > fprintf(stderr, "CN=<%s>\n", pc->server_name); > #else > /* no SNI support */ > > > > > > Monday, April 11, 2011, 4:06:39 PM, you wrote: > > > This is to announce the release of Pound v2.6d. This is an > experimental > > version - the fourth (and hopefully the last prior to the stable > > release) in the 2.6 series. Changes since version 2.6c: > > > Enhancements: > > - added parsing for the certificate CN > > > Bug fixes: > > - fixed problem in task enqueing > > - fixed small problem in Makefile > > > The software is at version 2.6d (beta quality). Further testing > > (especially under heavy loads), improvements and suggestions are > > welcome. > > > > -- > Best regards, > Sander mailto:[email protected] > > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions.
