No problem. You may want to consider using 2.6 final though. Patch should still apply.
Joe > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Wednesday, February 08, 2012 8:23 AM > To: [email protected] > Subject: Re: RE: [Pound Mailing List] Pound 2.6f and > SSLHonorCipherOrder > > Hi Joe, > > I´ve just installed a new pound-system with an CentOS 6 64-bit and a > pound 2.6f with your new patch v2 an it works fine. > > Thank you very much for your fast and helpful support. > > Kind Regards > > fatcharly > > -------- Original-Nachricht -------- > > Datum: Thu, 2 Feb 2012 18:24:55 +0000 > > Von: Joe Gooch <[email protected]> > > An: "\'[email protected]\'" <[email protected]> > > CC: \'Martin Meredith\' <[email protected]> > > Betreff: RE: [Pound Mailing List] Pound 2.6f and SSLHonorCipherOrder > > > Use this one instead. > > > http://goochfriend.org/pound_2.6f_ssl_renegotiation_and_ciphers_v2.pat > > ch > > > > Should start with hash 1698011920aa9c. > > > > Changes - > > Remove the SNI logging information (that never belonged as part of > > this patch and caused segfaults) Redo the whitespace to use spaces > > instead of tabs to be consistent with pound best practices > > > > Joe > > > > > > -----Original Message----- > > > > From: Joe Gooch [mailto:[email protected]] > > > > Sent: Thursday, February 02, 2012 10:41 AM > > > > To: '[email protected]' > > > > Subject: RE: [Pound Mailing List] Pound 2.6f and > > > > SSLHonorCipherOrder > > > > > > > > No worries. You can PM the information to me, or really, what > > > > Pound extracts is the CN information. Or at least that's what > the > > > > regex is supposed to pull. I was hoping to see the subject line > > > > so I could > > > see > > > > if it's in a format pound should parse properly, or if it's > > > > something else it's not expecting. > > > > > > > > My thought is either your cert's subject line isn't being parsed > > > > properly, which is causing a problem in fnmatch, or the value > > > > isn't being initialized at all (but I'm not sure how that would > happen)... > > > > Or somehow turning on the honor cipher order option causes some > > > > other type of callback to occur with SNI.... But I can't see how > > > > Cipher Suites would be related to SNI servername extensions. > > > > > > > > But I certainly don't want to compromise your SSL security. > > > > > > > > Joe > > > > > > > > > -----Original Message----- > > > > > From: [email protected] [mailto:[email protected]] > > > > > Sent: Thursday, February 02, 2012 10:29 AM > > > > > To: [email protected] > > > > > Subject: Re: RE: [Pound Mailing List] Pound 2.6f and > > > > > SSLHonorCipherOrder > > > > > > > > > > Hi Joe, > > > > > > > > > > good news, after we applied the line "#undef > > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB" in the config.c and a new > > > > compile, > > > > > we don´t see any segfaults. I´m afraid, but it´s not possible > > > > > for > > > me > > > > > to send you all of the x509-Information. But I can tell you > that > > > > > we have 2 EV-SSL´s and two "normal" SSL-Certificates. Do you > > > > > need some more information or maybe some information than won´t > > > > > show any > > > > company > > > > > information of the SSL-Certificate ? > > > > > > > > > > Kind Regards > > > > > > > > > > fatcharly > > > > > > > > > > > > > > > > > > > > > > > > > -------- Original-Nachricht -------- > > > > > > Datum: Thu, 2 Feb 2012 14:07:12 +0000 > > > > > > Von: Joe Gooch <[email protected]> > > > > > > An: "\'[email protected]\'" <[email protected]> > > > > > > Betreff: RE: [Pound Mailing List] Pound 2.6f and > > > > SSLHonorCipherOrder > > > > > > > > > > > Also, perhaps running it with -v, or setting LogFacility -, > > > > > > (or > > > > > > both) will yield a bigger picture... That'll output all the > > > > > > logs on the console. (so you'll see debug and info and > > > > > > everything else on the > > > > > same > > > > > > screen) In your msg below I'm not seeing the LOG_DEBUG > > > > > > messages from SNI... So maybe syslog is filtering those out, > > > > > > or saving > > > them > > > > > elsewhere... > > > > > > > > > > > > Joe > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: Joe Gooch > > > > > > > Sent: Thursday, February 02, 2012 9:00 AM > > > > > > > To: '[email protected]' > > > > > > > Subject: RE: [Pound Mailing List] Pound 2.6f and > > > > > SSLHonorCipherOrder > > > > > > > > > > > > > > It still won't segfault for me. :-/ > > > > > > > > > > > > > > "ip" in this context means instruction pointer, not > internet > > > > > protocol. > > > > > > > http://stackoverflow.com/questions/2549214/interpreting- > > > segfault > > > > > > > - > > > > > > > messages > > > > > > > > > > > > > > addr2line -e pound 08051f5c > > > > > > > /root/download/Pound-2.6f/config.c:808 > > > > > > > > > > > > > > Which, is square in the middle of the SNI checking. > > > > > > > > > > > > > > At the top of your config.c (say around line 74) can you do > > > > #undef > > > > > > > SSL_CTRL_SET_TLSEXT_SERVERNAME_CB > > > > > > > > > > > > > > And recompile? That should disable SNI. (Which IIRC you > > > > > > > weren't using > > > > > > > anyway) > > > > > > > > > > > > > > And then let me know if you still see segfaults. > > > > > > > > > > > > > > Further, could you provide the subject of all the > > > > > > > certificates you're using? I.e. the output of: > > > > > > > openssl x509 -noout -in yourpemfile.pem -subject > > > > > > > > > > > > > > > > > > > > > Joe > > > > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > > > > From: [email protected] [mailto:[email protected]] > > > > > > > > Sent: Thursday, February 02, 2012 7:56 AM > > > > > > > > To: [email protected] > > > > > > > > Subject: Re: RE: RE: [Pound Mailing List] Pound 2.6f and > > > > > > > > SSLHonorCipherOrder > > > > > > > > > > > > > > > > Hi Joe, > > > > > > > > > > > > > > > > yes we did fix the patchfile. I did some further > > > investigation > > > > > > > > on > > > > > > > this > > > > > > > > and there are some news I have to share. First some > > > > > > > > answers for your > > > > > > > > questions: > > > > > > > > >1) Does this happen on every request for you? Or is it > > > > sporadic? > > > > > > > > no, its much more than just sporadic, some request get > > > > > > > > answered and some not. > > > > > > > > >2) 32 or 64 bit? I can whip up a i386 chroot if need be > > > > > > > > it´s plain 32 bit > > > > > > > > >3) Looking at the packages below do you see any blatant > > > > > > > > >differences between my setup and yours > > > > > > > > no, but I will put my list in a special mail to send it > > > > directly > > > > > > > > with the tar-archive of our pound-directory to you > > > > > > > > >4 4) Anything else you can think of to help me track > this > > > > > > > > >down for > > > > > > > > you? > > > > > > > > Yes, I could zero in the problem a bit. First a bit about > > > > > > > > our > > > > > setup: > > > > > > > > The pound is in dmz-A, the webserver is in dmz-B, and the > > > > > > > > requesting Client comes a) from the internet or b) from > > > > > > > > the > > > > > internal network. > > > > > > > > When we start the pound everything works fine, as long as > > > > > > > > the > > > > > > > requests > > > > > > > > are coming from the internal network and the request is > > > > > > > > send to > > > > > an > > > > > > > > IP of the dmz-A network. So everything worked with this > > > > > > > > setup for the internal network. But when there are > > > > > > > > requests from > > > the > > > > > > > > internet, we get segfaults. The request is received from > > > > > > > > the firewall which does a NAT to pass the external IP of > > > > > > > > the > > > > website > > > > > > > > to the internal IP of the dmz-A network. And some > requests > > > are > > > > > > > > working (as I can see in the logfile of > > > > > > > > pound) and some cause segfaults. We can only test this by > > > > > > > > switching between the pound and our loadbalancer- > appliance > > > (as > > > > > > > > this one works, we are sure the NAT is not a problem) the > > > > > > > > productive path. So maybe there is a problem with some > > > > > > > > IP´s which cause the segfault. The segfaults appear even > > > > > > > > when > > > there > > > > > > > > is no > > > > > SSLHonorCipherOrder enabled. > > > > > > > > I´m not deep into this segfault thing, but there the > word > > > "ip" > > > > > > > mentioned: > > > > > > > > Feb 2 11:45:52 pilotpound kernel: pound[28641]: segfault > > > > > > > > at > > > 4 > > > > > > > > ip 08051f5c sp b7610ce0 error 4 in pound[8048000+18000] > > > > > > > > > > > > > > > > Is there anything else I can do to support you ? > > > > > > > > > > > > > > > > Kind Regards > > > > > > > > > > > > > > > > fatcharly > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -------- Original-Nachricht -------- > > > > > > > > > Datum: Wed, 1 Feb 2012 21:18:04 +0000 > > > > > > > > > Von: Joe Gooch <[email protected]> > > > > > > > > > An: "\'[email protected]\'" <[email protected]> > > > > > > > > > Betreff: RE: RE: [Pound Mailing List] Pound 2.6f and > > > > > > > > >SSLHonorCipherOrder > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und > wir > > > > > > > > belohnen Sie mit bis zu 50,- Euro! > > > > > > > > https://freundschaftswerbung.gmx.de > > > > > > > > > > > > > > > > -- > > > > > > > > To unsubscribe send an email with subject unsubscribe to > > > > > > > > [email protected]. > > > > > > > > Please contact [email protected] for questions. > > > > > > > > > > -- > > > > > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > > > > > belohnen Sie mit bis zu 50,- Euro! > > > > > https://freundschaftswerbung.gmx.d > > -- > Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie > mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de > > -- > To unsubscribe send an email with subject unsubscribe to > [email protected]. > Please contact [email protected] for questions.
