Revised... take 2.
Change
for(pc = res->ctx; res->next; res = res->next)

To:
for(pc = res->ctx; pc->next; pc = pc->next)

And retest :)

Joe


Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540

Confidentiality Notice:
This e-mail transmission may contain confidential and legally privileged 
information that is intended only for the individual named in the e-mail 
address. If you are not the intended recipient, you are hereby notified that 
any disclosure, copying, distribution, or reliance upon the contents of this 
e-mail message is strictly prohibited. If you have received this e-mail 
transmission in error, please reply to the sender, so that proper delivery can 
be arranged, and please delete the message from your mail box.


> -----Original Message-----
> From: Joe Gooch
> Sent: Monday, April 11, 2011 1:38 PM
> To: [email protected]; Robert Segall
> Subject: RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
> load balancer - v2.6d
> 
> Change
> for(pc = res->ctx; res->next; res = res->next)
> 
> To:
> for(pc = res->ctx; res->next; pc = res->next)
> 
> And retest.
> 
> Joe
> 
> 
> > -----Original Message-----
> > From: Sander Eikelenboom [mailto:[email protected]]
> > Sent: Monday, April 11, 2011 1:29 PM
> > To: Robert Segall
> > Cc: [email protected]
> > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
> > load balancer - v2.6d
> >
> > Hi Robert,
> >
> > The parsing of the CN name is OK now, as i said earlier there still
> is
> > a problem only the first and last certificate seems to be matched,
> > although all are parsed from the config file without error.
> >
> > --
> > Sander
> >
> >
> > When pound starts:
> > Starting reverse proxy and load balancer: poundstarting...
> > CN=<backup.eikelenboom.it>
> > CN=<git.eikelenboom.it>
> > CN=<davical.eikelenboom.it>
> > CN=<security.eikelenboom.it>
> >
> > So all have been parsed OK.
> >
> >
> >
> > Below the log after applying the patch below:
> >
> > root@webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c
> > config.c
> > --- ../Pound-2.6d/config.c      2011-04-11 15:59:05.000000000 +0200
> > +++ config.c    2011-04-11 19:20:00.000000000 +0200
> > @@ -795,18 +795,19 @@
> >          return SSL_TLSEXT_ERR_NOACK;
> >
> >      /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername
> %s",
> > servername); */
> >
> >      SSL_set_SSL_CTX(ssl, NULL);
> > -    for(pc = ctx; pc; pc = pc->next)
> > +    for(pc = ctx; pc; pc = pc->next){
> > +       logmsg(LOG_DEBUG, "try to match pc->server_name %s to
> > server_name %s",pc->server_name,server_name);
> >          if(fnmatch(pc->server_name, server_name, 0) == 0) {
> >              /* logmsg(LOG_DEBUG, "Found cert for %s", servername);
> */
> >              SSL_set_SSL_CTX(ssl, pc->ctx);
> >              return SSL_TLSEXT_ERR_OK;
> >          }
> > -
> > -    /* logmsg(LOG_DEBUG, "No match for %s, default used",
> > server_name); */
> > +    }
> > +    logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
> >      SSL_set_SSL_CTX(ssl, ctx->ctx);
> >      return SSL_TLSEXT_ERR_OK;
> >  }
> >  #endif
> >
> >
> >
> > Here you see the output when iterating through the certificates, only
> > the first and last present.
> >
> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> > backup.eikelenboom.it to server_name davical.eikelenboom.it
> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> > security.eikelenboom.it to server_name davical.eikelenboom.it
> > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it,
> > default used
> >
> >
> >
> >
> > Probably the parsing code isn't storing the certificates properly in
> > the variable or overwriting them somewhere in:
> >
> > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> >             /* we have support for SNI */
> >             FILE        *fcert;
> >             char        server_name[MAXBUF], *cp;
> >             X509        *x509;
> >
> >             if(has_other)
> >                 conf_err("Cert directives MUST precede other SSL-
> > specific directives - aborted");
> >             if(res->ctx) {
> >                 for(pc = res->ctx; res->next; res = res->next)
> >                     ;
> >                 if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
> >                     conf_err("ListenHTTPS new POUND_CTX: out of
> memory
> > - aborted");
> >                 pc = pc->next;
> >             } else {
> >                 if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
> >                     conf_err("ListenHTTPS new POUND_CTX: out of
> memory
> > - aborted");
> >                 pc = res->ctx;
> >             }
> >             if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) ==
> NULL)
> >                 conf_err("SSL_CTX_new failed - aborted");
> >             pc->server_name = NULL;
> >             pc->next = NULL;
> >             lin[matches[1].rm_eo] = '\0';
> >             if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
> > matches[1].rm_so) != 1)
> >                 conf_err("SSL_CTX_use_certificate_chain_file failed -
> > aborted");
> >             if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin +
> > matches[1].rm_so, SSL_FILETYPE_PEM) != 1)
> >                 conf_err("SSL_CTX_use_PrivateKey_file failed -
> > aborted");
> >             if(SSL_CTX_check_private_key(pc->ctx) != 1)
> >                 conf_err("SSL_CTX_check_private_key failed -
> aborted");
> >             if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
> >                 conf_err("ListenHTTPS: could not open certificate
> > file");
> >             if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) ==
> NULL)
> >                 conf_err("ListenHTTPS: could not get certificate
> > subject");
> >             fclose(fcert);
> >             memset(server_name, '\0', MAXBUF);
> >             X509_NAME_oneline(X509_get_subject_name(x509),
> server_name,
> > MAXBUF - 1);
> >             X509_free(x509);
> >             if(!regexec(&CNName, server_name, 4, matches, 0)) {
> >                 server_name[matches[1].rm_eo] = '\0';
> >                 if((pc->server_name = strdup(server_name +
> > matches[1].rm_so)) == NULL)
> >                     conf_err("ListenHTTPS: could not set certificate
> > subject");
> >             } else
> >                 conf_err("ListenHTTPS: could not get certificate
> CN");
> > fprintf(stderr, "CN=<%s>\n", pc->server_name);
> > #else
> >             /* no SNI support */
> >
> >
> >
> >
> >
> > Monday, April 11, 2011, 4:06:39 PM, you wrote:
> >
> > > This is to announce the release of Pound v2.6d. This is an
> > experimental
> > > version - the fourth (and hopefully the last prior to the stable
> > > release) in the 2.6 series. Changes since version 2.6c:
> >
> > > Enhancements:
> > >     - added parsing for the certificate CN
> >
> > > Bug fixes:
> > >     - fixed problem in task enqueing
> > >     - fixed small problem in Makefile
> >
> > > The software is at version 2.6d (beta quality). Further testing
> > > (especially under heavy loads), improvements and suggestions are
> > > welcome.
> >
> >
> >
> > --
> > Best regards,
> >  Sander                            mailto:[email protected]
> >
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to
> > [email protected].
> > Please contact [email protected] for questions.

--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.

Reply via email to