RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder

Thu, 02 Feb 2012 10:37:10 -0800 

And in addition, updated patches:
http://goochfriend.org/pound_2.6f_xss_redirect_fix_v2.patch

The only difference here is the whitespace handling.  No functional changes.

http://goochfriend.org/pound_2.6f_sni_optimization.patch

Only look at SNI headers/callback if we have more than one cert... No need to 
do a callback otherwise.


Joe
> -----Original Message-----
> From: Joe Gooch
> Sent: Thursday, February 02, 2012 1:25 PM
> To: '[email protected]'
> Cc: 'Martin Meredith'
> Subject: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder
> 
> Use this one instead.
> http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.patc
> h
> 
> Should start with hash 1698011920aa9c.
> 
> Changes -
> Remove the SNI logging information (that never belonged as part of this
> patch and caused segfaults) Redo the whitespace to use spaces instead
> of tabs to be consistent with pound best practices
> 
> Joe
> 
> > > -----Original Message-----
> > > From: Joe Gooch [mailto:[email protected]]
> > > Sent: Thursday, February 02, 2012 10:41 AM
> > > To: '[email protected]'
> > > Subject: RE: [Pound Mailing List] Pound 2.6f and
> SSLHonorCipherOrder
> > >
> > > No worries. You can PM the information to me, or really, what Pound
> > > extracts is the CN information.  Or at least that's what the regex
> > > is supposed to pull.  I was hoping to see the subject line so I
> > > could
> > see
> > > if it's in a format pound should parse properly, or if it's
> > > something else it's not expecting.
> > >
> > > My thought is either your cert's subject line isn't being parsed
> > > properly, which is causing a problem in fnmatch, or the value isn't
> > > being initialized at all (but I'm not sure how that would
> happen)...
> > > Or somehow turning on the honor cipher order option causes some
> > > other type of callback to occur with SNI.... But I can't see how
> > > Cipher Suites would be related to SNI servername extensions.
> > >
> > > But I certainly don't want to compromise your SSL security.
> > >
> > > Joe
> > >
> > > > -----Original Message-----
> > > > From: [email protected] [mailto:[email protected]]
> > > > Sent: Thursday, February 02, 2012 10:29 AM
> > > > To: [email protected]
> > > > Subject: Re: RE: [Pound Mailing List] Pound 2.6f and
> > > > SSLHonorCipherOrder
> > > >
> > > > Hi Joe,
> > > >
> > > > good news, after we applied the line "#undef
> > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB"  in the config.c and a new
> > > compile,
> > > > we don´t see any segfaults. I´m afraid, but it´s not possible for
> > me
> > > > to send you all of the x509-Information. But I can tell you that
> > > > we have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you need
> > > > some more information or maybe some information than won´t show
> > > > any
> > > company
> > > > information of the SSL-Certificate ?
> > > >
> > > > Kind Regards
> > > >
> > > > fatcharly
> > > >
> > > >
> > > >
> > > >
> > > > -------- Original-Nachricht --------
> > > > > Datum: Thu, 2 Feb 2012 14:07:12 +0000
> > > > > Von: Joe Gooch <[email protected]>
> > > > > An: "\'[email protected]\'" <[email protected]>
> > > > > Betreff: RE: [Pound Mailing List] Pound 2.6f and
> > > SSLHonorCipherOrder
> > > >
> > > > > Also, perhaps running it with -v, or setting LogFacility -, (or
> > > > > both) will yield a bigger picture... That'll output all the
> logs
> > > > > on the console. (so you'll see debug and info and everything
> > > > > else on the
> > > > same
> > > > > screen)  In your msg below I'm not seeing the LOG_DEBUG
> messages
> > > > > from SNI... So maybe syslog is filtering those out, or saving
> > them
> > > > elsewhere...
> > > > >
> > > > > Joe
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Joe Gooch
> > > > > > Sent: Thursday, February 02, 2012 9:00 AM
> > > > > > To: '[email protected]'
> > > > > > Subject: RE: [Pound Mailing List] Pound 2.6f and
> > > > SSLHonorCipherOrder
> > > > > >
> > > > > > It still won't segfault for me. :-/
> > > > > >
> > > > > > "ip" in this context means instruction pointer, not internet
> > > > protocol.
> > > > > > http://stackoverflow.com/questions/2549214/interpreting-
> > segfault
> > > > > > -
> > > > > > messages
> > > > > >
> > > > > > addr2line -e pound 08051f5c
> > > > > > /root/download/Pound-2.6f/config.c:808
> > > > > >
> > > > > > Which, is square in the middle of the SNI checking.
> > > > > >
> > > > > > At the top of your config.c (say around line 74) can you do
> > > #undef
> > > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> > > > > >
> > > > > > And recompile?  That should disable SNI.  (Which IIRC you
> > > > > > weren't using
> > > > > > anyway)
> > > > > >
> > > > > > And then let me know if you still see segfaults.
> > > > > >
> > > > > > Further, could you provide the subject of all the
> certificates
> > > > > > you're using?  I.e. the output of:
> > > > > > openssl x509 -noout -in yourpemfile.pem -subject
> > > > > >
> > > > > >
> > > > > > Joe
> > > > > >
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: [email protected] [mailto:[email protected]]
> > > > > > > Sent: Thursday, February 02, 2012 7:56 AM
> > > > > > > To: [email protected]
> > > > > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > > > > SSLHonorCipherOrder
> > > > > > >
> > > > > > > Hi Joe,
> > > > > > >
> > > > > > > yes we did fix the patchfile. I did some further
> > investigation
> > > > > > > on
> > > > > > this
> > > > > > > and there are some news I have to share. First some answers
> > > > > > > for your
> > > > > > > questions:
> > > > > > > >1) Does this happen on every request for you? Or is it
> > > sporadic?
> > > > > > > no, its much more than just sporadic, some request get
> > > > > > > answered and some not.
> > > > > > > >2) 32 or 64 bit?  I can whip up a i386 chroot if need be
> > > > > > > it´s plain 32 bit
> > > > > > > >3) Looking at the packages below do you see any blatant
> > > > > > > >differences between my setup and yours
> > > > > > > no, but I will put my list in a special mail to send it
> > > directly
> > > > > > > with the tar-archive of our pound-directory to you
> > > > > > > >4 4) Anything else you can think of to help me track this
> > > > > > > >down for
> > > > > > > you?
> > > > > > > Yes, I could zero in the problem a bit. First a bit about
> > > > > > > our
> > > > setup:
> > > > > > > The pound is in dmz-A, the webserver is in dmz-B, and the
> > > > > > > requesting Client comes a) from the internet or b) from the
> > > > internal network.
> > > > > > > When we start the pound everything works fine, as long as
> > > > > > > the
> > > > > > requests
> > > > > > > are coming from the internal network and the request is
> send
> > > > > > > to
> > > > an
> > > > > > > IP of the dmz-A network. So everything worked with this
> > > > > > > setup for the internal network. But when there are requests
> > > > > > > from
> > the
> > > > > > > internet, we get segfaults. The request is received from
> the
> > > > > > > firewall which does a NAT to pass the external IP of the
> > > website
> > > > > > > to the internal IP of the dmz-A network. And some requests
> > are
> > > > > > > working (as I can see in the logfile of
> > > > > > > pound) and some cause segfaults. We can only test this by
> > > > > > > switching between the pound and our loadbalancer-appliance
> > (as
> > > > > > > this one works, we are sure the NAT is not a problem) the
> > > > > > > productive path. So maybe there is a problem with some IP´s
> > > > > > > which cause the segfault. The segfaults appear even when
> > there
> > > > > > > is no
> > > > SSLHonorCipherOrder enabled.
> > > > > > > I´m not deep into this  segfault thing, but there the word
> > "ip"
> > > > > > mentioned:
> > > > > > > Feb  2 11:45:52 pilotpound kernel: pound[28641]: segfault
> at
> > 4
> > > > > > > ip 08051f5c sp b7610ce0 error 4 in pound[8048000+18000]
> > > > > > >
> > > > > > > Is there anything else I can do to support you ?
> > > > > > >
> > > > > > > Kind Regards
> > > > > > >
> > > > > > > fatcharly
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > -------- Original-Nachricht --------
> > > > > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000
> > > > > > > > Von: Joe Gooch <[email protected]>
> > > > > > > > An: "\'[email protected]\'" <[email protected]>
> > > > > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and
> > > > > > > >SSLHonorCipherOrder
> > > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > > > > > > belohnen Sie mit bis zu 50,- Euro!
> > > > > > > https://freundschaftswerbung.gmx.de
> > > > > > >
> > > > > > > --
> > > > > > > To unsubscribe send an email with subject unsubscribe to
> > > > > > > [email protected].
> > > > > > > Please contact [email protected] for questions.
> > > >
> > > > --
> > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
> > > > belohnen Sie mit bis zu 50,- Euro!
> > > > https://freundschaftswerbung.gmx.de
> > > >
> > > > --
> > > > To unsubscribe send an email with subject unsubscribe to
> > > > [email protected].
> > > > Please contact [email protected] for questions.
> > > N     r  zǧu ޙ   +a   y n ˛   m h   u l  !>W   ( ֜  ,z  +  + 笶*'
N�����r��zǧu�ޙ���+a���y�n�˛���m�h���u�l��!>W���(�֜��,z��+��+�笶*'

Reply via email to