Hi Joe, I´ve just installed a new pound-system with an CentOS 6 64-bit and a pound 2.6f with your new patch v2 an it works fine.
Thank you very much for your fast and helpful support. Kind Regards fatcharly -------- Original-Nachricht -------- > Datum: Thu, 2 Feb 2012 18:24:55 +0000 > Von: Joe Gooch <[email protected]> > An: "\'[email protected]\'" <[email protected]> > CC: \'Martin Meredith\' <[email protected]> > Betreff: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder > Use this one instead. > http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.patch > > Should start with hash 1698011920aa9c. > > Changes - > Remove the SNI logging information (that never belonged as part of this > patch and caused segfaults) > Redo the whitespace to use spaces instead of tabs to be consistent with > pound best practices > > Joe > > > > -----Original Message----- > > > From: Joe Gooch [mailto:[email protected]] > > > Sent: Thursday, February 02, 2012 10:41 AM > > > To: '[email protected]' > > > Subject: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder > > > > > > No worries. You can PM the information to me, or really, what Pound > > > extracts is the CN information. Or at least that's what the regex is > > > supposed to pull. I was hoping to see the subject line so I could > > see > > > if it's in a format pound should parse properly, or if it's something > > > else it's not expecting. > > > > > > My thought is either your cert's subject line isn't being parsed > > > properly, which is causing a problem in fnmatch, or the value isn't > > > being initialized at all (but I'm not sure how that would happen)... > > > Or somehow turning on the honor cipher order option causes some other > > > type of callback to occur with SNI.... But I can't see how Cipher > > > Suites would be related to SNI servername extensions. > > > > > > But I certainly don't want to compromise your SSL security. > > > > > > Joe > > > > > > > -----Original Message----- > > > > From: [email protected] [mailto:[email protected]] > > > > Sent: Thursday, February 02, 2012 10:29 AM > > > > To: [email protected] > > > > Subject: Re: RE: [Pound Mailing List] Pound 2.6f and > > > > SSLHonorCipherOrder > > > > > > > > Hi Joe, > > > > > > > > good news, after we applied the line "#undef > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB" in the config.c and a new > > > compile, > > > > we don´t see any segfaults. I´m afraid, but it´s not possible for > > me > > > > to send you all of the x509-Information. But I can tell you that we > > > > have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you need some > > > > more information or maybe some information than won´t show any > > > company > > > > information of the SSL-Certificate ? > > > > > > > > Kind Regards > > > > > > > > fatcharly > > > > > > > > > > > > > > > > > > > > -------- Original-Nachricht -------- > > > > > Datum: Thu, 2 Feb 2012 14:07:12 +0000 > > > > > Von: Joe Gooch <[email protected]> > > > > > An: "\'[email protected]\'" <[email protected]> > > > > > Betreff: RE: [Pound Mailing List] Pound 2.6f and > > > SSLHonorCipherOrder > > > > > > > > > Also, perhaps running it with -v, or setting LogFacility -, (or > > > > > both) will yield a bigger picture... That'll output all the logs > > > > > on the console. (so you'll see debug and info and everything else > > > > > on the > > > > same > > > > > screen) In your msg below I'm not seeing the LOG_DEBUG messages > > > > > from SNI... So maybe syslog is filtering those out, or saving > > them > > > > elsewhere... > > > > > > > > > > Joe > > > > > > > > > > > -----Original Message----- > > > > > > From: Joe Gooch > > > > > > Sent: Thursday, February 02, 2012 9:00 AM > > > > > > To: '[email protected]' > > > > > > Subject: RE: [Pound Mailing List] Pound 2.6f and > > > > SSLHonorCipherOrder > > > > > > > > > > > > It still won't segfault for me. :-/ > > > > > > > > > > > > "ip" in this context means instruction pointer, not internet > > > > protocol. > > > > > > http://stackoverflow.com/questions/2549214/interpreting- > > segfault > > > > > > - > > > > > > messages > > > > > > > > > > > > addr2line -e pound 08051f5c > > > > > > /root/download/Pound-2.6f/config.c:808 > > > > > > > > > > > > Which, is square in the middle of the SNI checking. > > > > > > > > > > > > At the top of your config.c (say around line 74) can you do > > > #undef > > > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB > > > > > > > > > > > > And recompile? That should disable SNI. (Which IIRC you > > > > > > weren't using > > > > > > anyway) > > > > > > > > > > > > And then let me know if you still see segfaults. > > > > > > > > > > > > Further, could you provide the subject of all the certificates > > > > > > you're using? I.e. the output of: > > > > > > openssl x509 -noout -in yourpemfile.pem -subject > > > > > > > > > > > > > > > > > > Joe > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: [email protected] [mailto:[email protected]] > > > > > > > Sent: Thursday, February 02, 2012 7:56 AM > > > > > > > To: [email protected] > > > > > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and > > > > > > > SSLHonorCipherOrder > > > > > > > > > > > > > > Hi Joe, > > > > > > > > > > > > > > yes we did fix the patchfile. I did some further > > investigation > > > > > > > on > > > > > > this > > > > > > > and there are some news I have to share. First some answers > > > > > > > for your > > > > > > > questions: > > > > > > > >1) Does this happen on every request for you? Or is it > > > sporadic? > > > > > > > no, its much more than just sporadic, some request get > > > > > > > answered and some not. > > > > > > > >2) 32 or 64 bit? I can whip up a i386 chroot if need be > > > > > > > it´s plain 32 bit > > > > > > > >3) Looking at the packages below do you see any blatant > > > > > > > >differences between my setup and yours > > > > > > > no, but I will put my list in a special mail to send it > > > directly > > > > > > > with the tar-archive of our pound-directory to you > > > > > > > >4 4) Anything else you can think of to help me track this > > > > > > > >down for > > > > > > > you? > > > > > > > Yes, I could zero in the problem a bit. First a bit about our > > > > setup: > > > > > > > The pound is in dmz-A, the webserver is in dmz-B, and the > > > > > > > requesting Client comes a) from the internet or b) from the > > > > internal network. > > > > > > > When we start the pound everything works fine, as long as the > > > > > > requests > > > > > > > are coming from the internal network and the request is send > > > > > > > to > > > > an > > > > > > > IP of the dmz-A network. So everything worked with this setup > > > > > > > for the internal network. But when there are requests from > > the > > > > > > > internet, we get segfaults. The request is received from the > > > > > > > firewall which does a NAT to pass the external IP of the > > > website > > > > > > > to the internal IP of the dmz-A network. And some requests > > are > > > > > > > working (as I can see in the logfile of > > > > > > > pound) and some cause segfaults. We can only test this by > > > > > > > switching between the pound and our loadbalancer-appliance > > (as > > > > > > > this one works, we are sure the NAT is not a problem) the > > > > > > > productive path. So maybe there is a problem with some IP´s > > > > > > > which cause the segfault. The segfaults appear even when > > there > > > > > > > is no > > > > SSLHonorCipherOrder enabled. > > > > > > > I´m not deep into this segfault thing, but there the word > > "ip" > > > > > > mentioned: > > > > > > > Feb 2 11:45:52 pilotpound kernel: pound[28641]: segfault at > > 4 > > > > > > > ip 08051f5c sp b7610ce0 error 4 in pound[8048000+18000] > > > > > > > > > > > > > > Is there anything else I can do to support you ? > > > > > > > > > > > > > > Kind Regards > > > > > > > > > > > > > > fatcharly > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------- Original-Nachricht -------- > > > > > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000 > > > > > > > > Von: Joe Gooch <[email protected]> > > > > > > > > An: "\'[email protected]\'" <[email protected]> > > > > > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and > > > > > > > >SSLHonorCipherOrder > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > > > > > > > belohnen Sie mit bis zu 50,- Euro! > > > > > > > https://freundschaftswerbung.gmx.de > > > > > > > > > > > > > > -- > > > > > > > To unsubscribe send an email with subject unsubscribe to > > > > > > > [email protected]. > > > > > > > Please contact [email protected] for questions. > > > > > > > > -- > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen > > > > Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.d -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
