RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder

Thu, 02 Feb 2012 10:30:50 -0800 

Use this one instead.
http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.patch

Should start with hash 1698011920aa9c.

Changes -
Remove the SNI logging information (that never belonged as part of this patch 
and caused segfaults)
Redo the whitespace to use spaces instead of tabs to be consistent with pound 
best practices

Joe
 
> > -----Original Message-----
> > From: Joe Gooch [mailto:[email protected]]
> > Sent: Thursday, February 02, 2012 10:41 AM
> > To: '[email protected]'
> > Subject: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
> >
> > No worries. You can PM the information to me, or really, what Pound
> > extracts is the CN information.  Or at least that's what the regex is
> > supposed to pull.  I was hoping to see the subject line so I could
> see
> > if it's in a format pound should parse properly, or if it's something
> > else it's not expecting.
> >
> > My thought is either your cert's subject line isn't being parsed
> > properly, which is causing a problem in fnmatch, or the value isn't
> > being initialized at all (but I'm not sure how that would happen)...
> > Or somehow turning on the honor cipher order option causes some other
> > type of callback to occur with SNI.... But I can't see how Cipher
> > Suites would be related to SNI servername extensions.
> >
> > But I certainly don't want to compromise your SSL security.
> >
> > Joe
> >
> > > -----Original Message-----
> > > From: [email protected] [mailto:[email protected]]
> > > Sent: Thursday, February 02, 2012 10:29 AM
> > > To: [email protected]
> > > Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
> > > SSLHonorCipherOrder
> > >
> > > Hi Joe,
> > >
> > > good news, after we applied the line "#undef
> > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c and a new
> > compile,
> > > we don´t see any segfaults. I´m afraid, but it´s not possible for
> me
> > > to send you all of the x509-Information. But I can tell you that we
> > > have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you need some
> > > more information or maybe some information than won´t show any
> > company
> > > information of the SSL-Certificate ?
> > >
> > > Kind Regards
> > >
> > > fatcharly
> > >
> > >
> > >
> > >
> > > -------- Original-Nachricht --------
> > > > Datum: Thu, 2 Feb 2012 14:07:12 +0000
> > > > Von: Joe Gooch <[email protected]>
> > > > An: "\'[email protected]\'" <[email protected]>
> > > > Betreff: RE: [Pound Mailing List] Pound 2.6f and
> > SSLHonorCipherOrder
> > >
> > > > Also, perhaps running it with -v, or setting LogFacility -, (or
> > > > both) will yield a bigger picture... That'll output all the logs
> > > > on the console. (so you'll see debug and info and everything else
> > > > on the
> > > same
> > > > screen)  In your msg below I'm not seeing the LOG_DEBUG messages
> > > > from SNI... So maybe syslog is filtering those out, or saving
> them
> > > elsewhere...
> > > >
> > > > Joe
> > > >
> > > > > -----Original Message-----
> > > > > From: Joe Gooch
> > > > > Sent: Thursday, February 02, 2012 9:00 AM
> > > > > To: '[email protected]'
> > > > > Subject: RE: [Pound Mailing List] Pound 2.6f and
> > > SSLHonorCipherOrder
> > > > >
> > > > > It still won't segfault for me. :-/
> > > > >
> > > > > "ip" in this context means instruction pointer, not internet
> > > protocol.
> > > > > http://stackoverflow.com/questions/2549214/interpreting-
> segfault
> > > > > -
> > > > > messages
> > > > >
> > > > > addr2line -e pound 08051f5c
> > > > > /root/download/Pound-2.6f/config.c:808
> > > > >
> > > > > Which, is square in the middle of the SNI checking.
> > > > >
> > > > > At the top of your config.c (say around line 74) can you do
> > #undef
> > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> > > > >
> > > > > And recompile?  That should disable SNI.  (Which IIRC you
> > > > > weren't using
> > > > > anyway)
> > > > >
> > > > > And then let me know if you still see segfaults.
> > > > >
> > > > > Further, could you provide the subject of all the certificates
> > > > > you're using?  I.e. the output of:
> > > > > openssl x509 -noout -in yourpemfile.pem -subject
> > > > >
> > > > >
> > > > > Joe
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: [email protected] [mailto:[email protected]]
> > > > > > Sent: Thursday, February 02, 2012 7:56 AM
> > > > > > To: [email protected]
> > > > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > > > SSLHonorCipherOrder
> > > > > >
> > > > > > Hi Joe,
> > > > > >
> > > > > > yes we did fix the patchfile. I did some further
> investigation
> > > > > > on
> > > > > this
> > > > > > and there are some news I have to share. First some answers
> > > > > > for your
> > > > > > questions:
> > > > > > >1) Does this happen on every request for you? Or is it
> > sporadic?
> > > > > > no, its much more than just sporadic, some request get
> > > > > > answered and some not.
> > > > > > >2) 32 or 64 bit?  I can whip up a i386 chroot if need be
> > > > > > it´s plain 32 bit
> > > > > > >3) Looking at the packages below do you see any blatant
> > > > > > >differences between my setup and yours
> > > > > > no, but I will put my list in a special mail to send it
> > directly
> > > > > > with the tar-archive of our pound-directory to you
> > > > > > >4 4) Anything else you can think of to help me track this
> > > > > > >down for
> > > > > > you?
> > > > > > Yes, I could zero in the problem a bit. First a bit about our
> > > setup:
> > > > > > The pound is in dmz-A, the webserver is in dmz-B, and the
> > > > > > requesting Client comes a) from the internet or b) from the
> > > internal network.
> > > > > > When we start the pound everything works fine, as long as the
> > > > > requests
> > > > > > are coming from the internal network and the request is send
> > > > > > to
> > > an
> > > > > > IP of the dmz-A network. So everything worked with this setup
> > > > > > for the internal network. But when there are requests from
> the
> > > > > > internet, we get segfaults. The request is received from the
> > > > > > firewall which does a NAT to pass the external IP of the
> > website
> > > > > > to the internal IP of the dmz-A network. And some requests
> are
> > > > > > working (as I can see in the logfile of
> > > > > > pound) and some cause segfaults. We can only test this by
> > > > > > switching between the pound and our loadbalancer-appliance
> (as
> > > > > > this one works, we are sure the NAT is not a problem) the
> > > > > > productive path. So maybe there is a problem with some IP´s
> > > > > > which cause the segfault. The segfaults appear even when
> there
> > > > > > is no
> > > SSLHonorCipherOrder enabled.
> > > > > > I´m not deep into this  segfault thing, but there the word
> "ip"
> > > > > mentioned:
> > > > > > Feb  2 11:45:52 pilotpound kernel: pound[28641]: segfault at
> 4
> > > > > > ip 08051f5c sp b7610ce0 error 4 in pound[8048000+18000]
> > > > > >
> > > > > > Is there anything else I can do to support you ?
> > > > > >
> > > > > > Kind Regards
> > > > > >
> > > > > > fatcharly
> > > > > >
> > > > > >
> > > > > >
> > > > > > > -------- Original-Nachricht --------
> > > > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000
> > > > > > > Von: Joe Gooch <[email protected]>
> > > > > > > An: "\'[email protected]\'" <[email protected]>
> > > > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > > > >SSLHonorCipherOrder
> > > > > > >
> > > > > >
> > > > > > --
> > > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > > > > > belohnen Sie mit bis zu 50,- Euro!
> > > > > > https://freundschaftswerbung.gmx.de
> > > > > >
> > > > > > --
> > > > > > To unsubscribe send an email with subject unsubscribe to
> > > > > > [email protected].
> > > > > > Please contact [email protected] for questions.
> > >
> > > --
> > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen
> > > Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de
> > >
> > > --
> > > To unsubscribe send an email with subject unsubscribe to
> > > [email protected].
> > > Please contact [email protected] for questions.
> > N     r  zǧu ޙ   +a   y n ˛   m h   u l  !>W   ( ֜  ,z  +  + 笶*'
N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'

Reply via email to