Revised... take 2. Change for(pc = res->ctx; res->next; res = res->next)
To: for(pc = res->ctx; pc->next; pc = pc->next) And retest :) Joe Joseph Gooch Sapphire Suite Product Manager K12 Systems, Inc. (866) 366-9540 Confidentiality Notice: This e-mail transmission may contain confidential and legally privileged information that is intended only for the individual named in the e-mail address. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or reliance upon the contents of this e-mail message is strictly prohibited. If you have received this e-mail transmission in error, please reply to the sender, so that proper delivery can be arranged, and please delete the message from your mail box. > -----Original Message----- > From: Joe Gooch > Sent: Monday, April 11, 2011 1:38 PM > To: [email protected]; Robert Segall > Subject: RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and > load balancer - v2.6d > > Change > for(pc = res->ctx; res->next; res = res->next) > > To: > for(pc = res->ctx; res->next; pc = res->next) > > And retest. > > Joe > > > > -----Original Message----- > > From: Sander Eikelenboom [mailto:[email protected]] > > Sent: Monday, April 11, 2011 1:29 PM > > To: Robert Segall > > Cc: [email protected] > > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and > > load balancer - v2.6d > > > > Hi Robert, > > > > The parsing of the CN name is OK now, as i said earlier there still > is > > a problem only the first and last certificate seems to be matched, > > although all are parsed from the config file without error. > > > > -- > > Sander > > > > > > When pound starts: > > Starting reverse proxy and load balancer: poundstarting... > > CN=<backup.eikelenboom.it> > > CN=<git.eikelenboom.it> > > CN=<davical.eikelenboom.it> > > CN=<security.eikelenboom.it> > > > > So all have been parsed OK. > > > > > > > > Below the log after applying the patch below: > > > > root@webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c > > config.c > > --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200 > > +++ config.c 2011-04-11 19:20:00.000000000 +0200 > > @@ -795,18 +795,19 @@ > > return SSL_TLSEXT_ERR_NOACK; > > > > /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername > %s", > > servername); */ > > > > SSL_set_SSL_CTX(ssl, NULL); > > - for(pc = ctx; pc; pc = pc->next) > > + for(pc = ctx; pc; pc = pc->next){ > > + logmsg(LOG_DEBUG, "try to match pc->server_name %s to > > server_name %s",pc->server_name,server_name); > > if(fnmatch(pc->server_name, server_name, 0) == 0) { > > /* logmsg(LOG_DEBUG, "Found cert for %s", servername); > */ > > SSL_set_SSL_CTX(ssl, pc->ctx); > > return SSL_TLSEXT_ERR_OK; > > } > > - > > - /* logmsg(LOG_DEBUG, "No match for %s, default used", > > server_name); */ > > + } > > + logmsg(LOG_DEBUG, "No match for %s, default used", server_name); > > SSL_set_SSL_CTX(ssl, ctx->ctx); > > return SSL_TLSEXT_ERR_OK; > > } > > #endif > > > > > > > > Here you see the output when iterating through the certificates, only > > the first and last present. > > > > Apr 11 19:21:46 webproxy pound: try to match pc->server_name > > backup.eikelenboom.it to server_name davical.eikelenboom.it > > Apr 11 19:21:46 webproxy pound: try to match pc->server_name > > security.eikelenboom.it to server_name davical.eikelenboom.it > > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it, > > default used > > > > > > > > > > Probably the parsing code isn't storing the certificates properly in > > the variable or overwriting them somewhere in: > > > > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB > > /* we have support for SNI */ > > FILE *fcert; > > char server_name[MAXBUF], *cp; > > X509 *x509; > > > > if(has_other) > > conf_err("Cert directives MUST precede other SSL- > > specific directives - aborted"); > > if(res->ctx) { > > for(pc = res->ctx; res->next; res = res->next) > > ; > > if((pc->next = malloc(sizeof(POUND_CTX))) == NULL) > > conf_err("ListenHTTPS new POUND_CTX: out of > memory > > - aborted"); > > pc = pc->next; > > } else { > > if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL) > > conf_err("ListenHTTPS new POUND_CTX: out of > memory > > - aborted"); > > pc = res->ctx; > > } > > if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == > NULL) > > conf_err("SSL_CTX_new failed - aborted"); > > pc->server_name = NULL; > > pc->next = NULL; > > lin[matches[1].rm_eo] = '\0'; > > if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin + > > matches[1].rm_so) != 1) > > conf_err("SSL_CTX_use_certificate_chain_file failed - > > aborted"); > > if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + > > matches[1].rm_so, SSL_FILETYPE_PEM) != 1) > > conf_err("SSL_CTX_use_PrivateKey_file failed - > > aborted"); > > if(SSL_CTX_check_private_key(pc->ctx) != 1) > > conf_err("SSL_CTX_check_private_key failed - > aborted"); > > if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL) > > conf_err("ListenHTTPS: could not open certificate > > file"); > > if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == > NULL) > > conf_err("ListenHTTPS: could not get certificate > > subject"); > > fclose(fcert); > > memset(server_name, '\0', MAXBUF); > > X509_NAME_oneline(X509_get_subject_name(x509), > server_name, > > MAXBUF - 1); > > X509_free(x509); > > if(!regexec(&CNName, server_name, 4, matches, 0)) { > > server_name[matches[1].rm_eo] = '\0'; > > if((pc->server_name = strdup(server_name + > > matches[1].rm_so)) == NULL) > > conf_err("ListenHTTPS: could not set certificate > > subject"); > > } else > > conf_err("ListenHTTPS: could not get certificate > CN"); > > fprintf(stderr, "CN=<%s>\n", pc->server_name); > > #else > > /* no SNI support */ > > > > > > > > > > > > Monday, April 11, 2011, 4:06:39 PM, you wrote: > > > > > This is to announce the release of Pound v2.6d. This is an > > experimental > > > version - the fourth (and hopefully the last prior to the stable > > > release) in the 2.6 series. Changes since version 2.6c: > > > > > Enhancements: > > > - added parsing for the certificate CN > > > > > Bug fixes: > > > - fixed problem in task enqueing > > > - fixed small problem in Makefile > > > > > The software is at version 2.6d (beta quality). Further testing > > > (especially under heavy loads), improvements and suggestions are > > > welcome. > > > > > > > > -- > > Best regards, > > Sander mailto:[email protected] > > > > > > -- > > To unsubscribe send an email with subject unsubscribe to > > [email protected]. > > Please contact [email protected] for questions. -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
