RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder

Thu, 02 Feb 2012 07:48:11 -0800 

No worries. You can PM the information to me, or really, what Pound extracts is 
the CN information.  Or at least that's what the regex is supposed to pull.  I 
was hoping to see the subject line so I could see if it's in a format pound 
should parse properly, or if it's something else it's not expecting.

My thought is either your cert's subject line isn't being parsed properly, 
which is causing a problem in fnmatch, or the value isn't being initialized at 
all (but I'm not sure how that would happen)... Or somehow turning on the honor 
cipher order option causes some other type of callback to occur with SNI.... 
But I can't see how Cipher Suites would be related to SNI servername extensions.

But I certainly don't want to compromise your SSL security.

Joe

> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Thursday, February 02, 2012 10:29 AM
> To: [email protected]
> Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
> SSLHonorCipherOrder
> 
> Hi Joe,
> 
> good news, after we applied the line "#undef
> SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c and a new compile,
> we don´t see any segfaults. I´m afraid, but it´s not possible for me to
> send you all of the x509-Information. But I can tell you that we have 2
> EV-SSL´s and two "normal" SSL-Certificates. Do you need some more
> information or maybe some information than won´t show any company
> information of the SSL-Certificate ?
> 
> Kind Regards
> 
> fatcharly
> 
> 
> 
> 
> -------- Original-Nachricht --------
> > Datum: Thu, 2 Feb 2012 14:07:12 +0000
> > Von: Joe Gooch <[email protected]>
> > An: "\'[email protected]\'" <[email protected]>
> > Betreff: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
> 
> > Also, perhaps running it with -v, or setting LogFacility -, (or both)
> > will yield a bigger picture... That'll output all the logs on the
> > console. (so you'll see debug and info and everything else on the
> same
> > screen)  In your msg below I'm not seeing the LOG_DEBUG messages from
> > SNI... So maybe syslog is filtering those out, or saving them
> elsewhere...
> >
> > Joe
> >
> > > -----Original Message-----
> > > From: Joe Gooch
> > > Sent: Thursday, February 02, 2012 9:00 AM
> > > To: '[email protected]'
> > > Subject: RE: [Pound Mailing List] Pound 2.6f and
> SSLHonorCipherOrder
> > >
> > > It still won't segfault for me. :-/
> > >
> > > "ip" in this context means instruction pointer, not internet
> protocol.
> > > http://stackoverflow.com/questions/2549214/interpreting-segfault-
> > > messages
> > >
> > > addr2line -e pound 08051f5c
> > > /root/download/Pound-2.6f/config.c:808
> > >
> > > Which, is square in the middle of the SNI checking.
> > >
> > > At the top of your config.c (say around line 74) can you do #undef
> > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> > >
> > > And recompile?  That should disable SNI.  (Which IIRC you weren't
> > > using
> > > anyway)
> > >
> > > And then let me know if you still see segfaults.
> > >
> > > Further, could you provide the subject of all the certificates
> > > you're using?  I.e. the output of:
> > > openssl x509 -noout -in yourpemfile.pem -subject
> > >
> > >
> > > Joe
> > >
> > >
> > > > -----Original Message-----
> > > > From: [email protected] [mailto:[email protected]]
> > > > Sent: Thursday, February 02, 2012 7:56 AM
> > > > To: [email protected]
> > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > SSLHonorCipherOrder
> > > >
> > > > Hi Joe,
> > > >
> > > > yes we did fix the patchfile. I did some further investigation on
> > > this
> > > > and there are some news I have to share. First some answers for
> > > > your
> > > > questions:
> > > > >1) Does this happen on every request for you? Or is it sporadic?
> > > > no, its much more than just sporadic, some request get answered
> > > > and some not.
> > > > >2) 32 or 64 bit?  I can whip up a i386 chroot if need be
> > > > it´s plain 32 bit
> > > > >3) Looking at the packages below do you see any blatant
> > > > >differences between my setup and yours
> > > > no, but I will put my list in a special mail to send it directly
> > > > with the tar-archive of our pound-directory to you
> > > > >4 4) Anything else you can think of to help me track this down
> > > > >for
> > > > you?
> > > > Yes, I could zero in the problem a bit. First a bit about our
> setup:
> > > > The pound is in dmz-A, the webserver is in dmz-B, and the
> > > > requesting Client comes a) from the internet or b) from the
> internal network.
> > > > When we start the pound everything works fine, as long as the
> > > requests
> > > > are coming from the internal network and the request is send to
> an
> > > > IP of the dmz-A network. So everything worked with this setup for
> > > > the internal network. But when there are requests from the
> > > > internet, we get segfaults. The request is received from the
> > > > firewall which does a NAT to pass the external IP of the website
> > > > to the internal IP of the dmz-A network. And some requests are
> > > > working (as I can see in the logfile of
> > > > pound) and some cause segfaults. We can only test this by
> > > > switching between the pound and our loadbalancer-appliance (as
> > > > this one works, we are sure the NAT is not a problem) the
> > > > productive path. So maybe there is a problem with some IP´s which
> > > > cause the segfault. The segfaults appear even when there is no
> SSLHonorCipherOrder enabled.
> > > > I´m not deep into this  segfault thing, but there the word "ip"
> > > mentioned:
> > > > Feb  2 11:45:52 pilotpound kernel: pound[28641]: segfault at 4 ip
> > > > 08051f5c sp b7610ce0 error 4 in pound[8048000+18000]
> > > >
> > > > Is there anything else I can do to support you ?
> > > >
> > > > Kind Regards
> > > >
> > > > fatcharly
> > > >
> > > >
> > > >
> > > > > -------- Original-Nachricht --------
> > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000
> > > > > Von: Joe Gooch <[email protected]>
> > > > > An: "\'[email protected]\'" <[email protected]>
> > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > >SSLHonorCipherOrder
> > > > >
> > > >
> > > > --
> > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > > > belohnen Sie mit bis zu 50,- Euro!
> > > > https://freundschaftswerbung.gmx.de
> > > >
> > > > --
> > > > To unsubscribe send an email with subject unsubscribe to
> > > > [email protected].
> > > > Please contact [email protected] for questions.
> 
> --
> Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie
> mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> [email protected].
> Please contact [email protected] for questions.
N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'

Reply via email to