Hi Joe, This last one does the trick ! :-)
Thx, Sander Monday, April 11, 2011, 7:39:36 PM, you wrote: > Revised... take 2. > Change for(pc = res->>ctx; res->next; res = res->next) > To: for(pc = res->>ctx; pc->next; pc = pc->next) > And retest :) > Joe > Joseph Gooch > Sapphire Suite Product Manager > K12 Systems, Inc. > (866) 366-9540 > Confidentiality Notice: > This e-mail transmission may contain confidential and legally privileged > information that is intended only for the individual named in the e-mail > address. If you are not the intended recipient, you are hereby notified that > any disclosure, copying, distribution, or reliance upon the contents of this > e-mail message is strictly prohibited. If you have received this e-mail > transmission in error, please reply to the sender, so that proper delivery > can be arranged, and please delete the message from your mail box. >> -----Original Message----- >> From: Joe Gooch >> Sent: Monday, April 11, 2011 1:38 PM >> To: [email protected]; Robert Segall >> Subject: RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and >> load balancer - v2.6d >> >> Change >> for(pc = res->ctx; res->next; res = res->next) >> >> To: >> for(pc = res->ctx; res->next; pc = res->next) >> >> And retest. >> >> Joe >> >> >> > -----Original Message----- >> > From: Sander Eikelenboom [mailto:[email protected]] >> > Sent: Monday, April 11, 2011 1:29 PM >> > To: Robert Segall >> > Cc: [email protected] >> > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and >> > load balancer - v2.6d >> > >> > Hi Robert, >> > >> > The parsing of the CN name is OK now, as i said earlier there still >> is >> > a problem only the first and last certificate seems to be matched, >> > although all are parsed from the config file without error. >> > >> > -- >> > Sander >> > >> > >> > When pound starts: >> > Starting reverse proxy and load balancer: poundstarting... >> > CN=<backup.eikelenboom.it> >> > CN=<git.eikelenboom.it> >> > CN=<davical.eikelenboom.it> >> > CN=<security.eikelenboom.it> >> > >> > So all have been parsed OK. >> > >> > >> > >> > Below the log after applying the patch below: >> > >> > root@webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c >> > config.c >> > --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200 >> > +++ config.c 2011-04-11 19:20:00.000000000 +0200 >> > @@ -795,18 +795,19 @@ >> > return SSL_TLSEXT_ERR_NOACK; >> > >> > /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername >> %s", >> > servername); */ >> > >> > SSL_set_SSL_CTX(ssl, NULL); >> > - for(pc = ctx; pc; pc = pc->next) >> > + for(pc = ctx; pc; pc = pc->next){ >> > + logmsg(LOG_DEBUG, "try to match pc->server_name %s to >> > server_name %s",pc->server_name,server_name); >> > if(fnmatch(pc->server_name, server_name, 0) == 0) { >> > /* logmsg(LOG_DEBUG, "Found cert for %s", servername); >> */ >> > SSL_set_SSL_CTX(ssl, pc->ctx); >> > return SSL_TLSEXT_ERR_OK; >> > } >> > - >> > - /* logmsg(LOG_DEBUG, "No match for %s, default used", >> > server_name); */ >> > + } >> > + logmsg(LOG_DEBUG, "No match for %s, default used", server_name); >> > SSL_set_SSL_CTX(ssl, ctx->ctx); >> > return SSL_TLSEXT_ERR_OK; >> > } >> > #endif >> > >> > >> > >> > Here you see the output when iterating through the certificates, only >> > the first and last present. >> > >> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name >> > backup.eikelenboom.it to server_name davical.eikelenboom.it >> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name >> > security.eikelenboom.it to server_name davical.eikelenboom.it >> > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it, >> > default used >> > >> > >> > >> > >> > Probably the parsing code isn't storing the certificates properly in >> > the variable or overwriting them somewhere in: >> > >> > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB >> > /* we have support for SNI */ >> > FILE *fcert; >> > char server_name[MAXBUF], *cp; >> > X509 *x509; >> > >> > if(has_other) >> > conf_err("Cert directives MUST precede other SSL- >> > specific directives - aborted"); >> > if(res->ctx) { >> > for(pc = res->ctx; res->next; res = res->next) >> > ; >> > if((pc->next = malloc(sizeof(POUND_CTX))) == NULL) >> > conf_err("ListenHTTPS new POUND_CTX: out of >> memory >> > - aborted"); >> > pc = pc->next; >> > } else { >> > if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL) >> > conf_err("ListenHTTPS new POUND_CTX: out of >> memory >> > - aborted"); >> > pc = res->ctx; >> > } >> > if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == >> NULL) >> > conf_err("SSL_CTX_new failed - aborted"); >> > pc->server_name = NULL; >> > pc->next = NULL; >> > lin[matches[1].rm_eo] = '\0'; >> > if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin + >> > matches[1].rm_so) != 1) >> > conf_err("SSL_CTX_use_certificate_chain_file failed - >> > aborted"); >> > if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + >> > matches[1].rm_so, SSL_FILETYPE_PEM) != 1) >> > conf_err("SSL_CTX_use_PrivateKey_file failed - >> > aborted"); >> > if(SSL_CTX_check_private_key(pc->ctx) != 1) >> > conf_err("SSL_CTX_check_private_key failed - >> aborted"); >> > if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL) >> > conf_err("ListenHTTPS: could not open certificate >> > file"); >> > if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == >> NULL) >> > conf_err("ListenHTTPS: could not get certificate >> > subject"); >> > fclose(fcert); >> > memset(server_name, '\0', MAXBUF); >> > X509_NAME_oneline(X509_get_subject_name(x509), >> server_name, >> > MAXBUF - 1); >> > X509_free(x509); >> > if(!regexec(&CNName, server_name, 4, matches, 0)) { >> > server_name[matches[1].rm_eo] = '\0'; >> > if((pc->server_name = strdup(server_name + >> > matches[1].rm_so)) == NULL) >> > conf_err("ListenHTTPS: could not set certificate >> > subject"); >> > } else >> > conf_err("ListenHTTPS: could not get certificate >> CN"); >> > fprintf(stderr, "CN=<%s>\n", pc->server_name); >> > #else >> > /* no SNI support */ >> > >> > >> > >> > >> > >> > Monday, April 11, 2011, 4:06:39 PM, you wrote: >> > >> > > This is to announce the release of Pound v2.6d. This is an >> > experimental >> > > version - the fourth (and hopefully the last prior to the stable >> > > release) in the 2.6 series. Changes since version 2.6c: >> > >> > > Enhancements: >> > > - added parsing for the certificate CN >> > >> > > Bug fixes: >> > > - fixed problem in task enqueing >> > > - fixed small problem in Makefile >> > >> > > The software is at version 2.6d (beta quality). Further testing >> > > (especially under heavy loads), improvements and suggestions are >> > > welcome. >> > >> > >> > >> > -- >> > Best regards, >> > Sander mailto:[email protected] >> > >> > >> > -- >> > To unsubscribe send an email with subject unsubscribe to >> > [email protected]. >> > Please contact [email protected] for questions. > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. -- Best regards, Sander mailto:[email protected] -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
