Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate

Thu, 20 Sep 2012 03:00:03 -0700 

Hi Francoise,

I'm going to take a guess here but your pound.cfg should look something
like this for a basic redirection from HTTP to HTTPS (well this works well
for me but I'm sure others may know of another/better way to do this)


User    "nobody"
Group    "nobody"
LogLevel    1
LogFacility    local3
Client    30
TimeOut    60
ListenHTTPS
    Address xxx.xxx.xxx.xxx
    Port 443
    xHTTP 3
    Cert "/etc/pound/ucc01.pem"
    ReWriteLocation 1
    Ciphers "RC4:HIGH:!MD5:!aNULL"
    SSLHonorCipherOrder 1
    SSLAllowClientRenegotiation 0
    DisableSSLv2
    Service
        HeadRequire "Host: *support.*"
        BackEnd
            Address 172.16.0.40
            Port 80
            TProxy 1
        End
    End
End
ListenHTTP
        Address xxx.xxx.xxx.xxx
        Port 80
        xHTTP 3
        ReWriteLocation 1
        Service
                HeadRequire "Host: *support.*"
                Redirect "[https full address goes here]" #eg
https://google.co.uk
        End
End


~Yours,
Scott


On 20 September 2012 10:36, Francoise Dehinbo <
[email protected]> wrote:

> Hi Scott,
>
> I hope you can help me again.  Since upgrading to pound 2.6 as discussed
> previously, we are having trouble re-directing a user from https to http.
>  But if I downgrade pound back to 2.5 and refresh it works fine.  I am not
> all familiar with how pound works.  Do you have any recommendations on
> where to look first?
>
> Many thanks.
>
> Francoise
>
> From: Scott McKeown <[email protected]<mailto:[email protected]
> >>
> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:
> [email protected]>>
> Date: Wednesday, 19 September 2012 12:01
> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:
> [email protected]>>
> Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot
> get certificate
>
> Hi Francoise,
>
> Your more thank welcome.
> On a side note you may also like the DisableSSLv2 Patch which can be found
> here:
> http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000
>
> This will remove the need for the '!SSLv2' option in your Ciphers List
> line.
>
>
> ~Scott
>
>
> On 19 September 2012 11:51, Francoise Dehinbo <
> [email protected]<mailto:[email protected]>>
> wrote:
> Hi Scott,
>
> It worked fine once I switched it to the live certificate instead of the
> self-signed one used for testing.
>
> Much appreciated.
>
> Francoise
>
> From: Scott McKeown <[email protected]<mailto:[email protected]
> ><mailto:[email protected]<mailto:[email protected]>>>
> Reply-To: "[email protected]<mailto:[email protected]><mailto:[email protected]
> <mailto:[email protected]>>" <[email protected]<mailto:[email protected]><mailto:
> [email protected]<mailto:[email protected]>>>
> Date: Wednesday, 19 September 2012 10:40
> To: "[email protected]<mailto:[email protected]><mailto:[email protected]<mailto:
> [email protected]>>" <[email protected]<mailto:[email protected]><mailto:
> [email protected]<mailto:[email protected]>>>
> Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot
> get certificate
>
> Hi Francoise,
>
> This looks more like a Certificate issue than a Pound issue.
> What type of certificate have you created?
> I would have another go at creating the PEM file myself and if you have
> paid for a certificate from a CA you may need the intermediate and root
> chains.
> This site is a good reference on the creation of the PEM files.
> http://www.digicert.com/ssl-support/pem-ssl-creation.htm
> 9 time out of 10 I would use the full PEM file listed right at the bottom
> of the page.
>
> ~Yours,
> Scott
>
>
> On 19 September 2012 10:11, Francoise Dehinbo <
> [email protected]<mailto:[email protected]
> ><mailto:[email protected]<mailto:
> [email protected]>>> wrote:
> Hi All,
>
> My OS is debian squeeze which have Pound version 2.5 installed. I
> downloaded the latest stable version 2.6 from
> http://www.apsis.ch/pound/Pound-2.6.tgz and
> applied the BEAST attack patch from
>
> https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch
>
> After installing 2.6 and start up pound (as root), it fails with the
> following error:
>
> /etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN
>
> Line 15 is:
> Cert    "/etc/pound/dev.pem"
>
> But /etc/pound/dev.pem does exist so I don't understand why it cannot read
> it:
>
> >ls -la /etc/pound/dev.pem
> -rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem
>
> Here is my config for pound:
>
> User    "web"
> Group   "web"
>
> # If the backend disappears check for it to come back every 'Alive'
> seconds.
> Alive 5
>
> # no logging of individual requests
> # start up etc errors are still logged to daemon.log
> LogLevel 2
>
> ListenHTTPS
>
>     Address 0.0.0.0
>     Port    443
>     Cert    "/etc/pound/dev.pem"
>     Ciphers
>
> "ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
>
>     AddHeader "X-Secure-Connection: true"
>
>     Service
>         BackEnd
>             Address 127.0.0.1
>             Port    6000
>         End
>     End
>
> End
>
> Any help would be greatly appreciated.
>
> Many thanks
>
> Francoise
>
> Privacy and Confidentiality Notice:
>
> This is strictly confidential and intended solely for the person or
> organisation to whom it is addressed. It may contain privileged and
> confidential information and if you are not an intended recipient, you must
> not copy, distribute or take any action in reliance on it. If you have
> received this message in error, please notify us as soon as possible and
> delete it and any attached files from your system.
> The views and opinions expressed in this email message are the author's
> own and may not reflect the views and opinions of the author's employer.
>
> Foxtons Limited is registered in England and Wales (registered number
> 01680058).  Our registered office is at Building One, Chiswick Park, 566
> Chiswick High Road, London, W4 5BE.
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MessageLabs.
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected]
> <mailto:[email protected]><mailto:[email protected]<mailto:[email protected]>>.
> Please contact [email protected]<mailto:[email protected]><mailto:[email protected]
> <mailto:[email protected]>> for questions.
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
>
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MessageLabs.
>
> Privacy and Confidentiality Notice:
>
> This is strictly confidential and intended solely for the person or
> organisation to whom it is addressed. It may contain privileged and
> confidential information and if you are not an intended recipient, you must
> not copy, distribute or take any action in reliance on it. If you have
> received this message in error, please notify us as soon as possible and
> delete it and any attached files from your system.
> The views and opinions expressed in this email message are the author's
> own and may not reflect the views and opinions of the author's employer.
>
> Foxtons Limited is registered in England and Wales (registered number
> 01680058).  Our registered office is at Building One, Chiswick Park, 566
> Chiswick High Road, London, W4 5BE.
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MessageLabs.
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected]
> <mailto:[email protected]>.
> Please contact [email protected]<mailto:[email protected]> for questions.
>
>
>
> --
> With Kind Regards.
>
> Scott McKeown
> Loadbalancer.org
> http://www.loadbalancer.org
>
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MessageLabs.
>
> Privacy and Confidentiality Notice:
>
> This is strictly confidential and intended solely for the person or
> organisation to whom it is addressed. It may contain privileged and
> confidential information and if you are not an intended recipient, you must
> not copy, distribute or take any action in reliance on it. If you have
> received this message in error, please notify us as soon as possible and
> delete it and any attached files from your system.
> The views and opinions expressed in this email message are the author's
> own and may not reflect the views and opinions of the author's employer.
>
> Foxtons Limited is registered in England and Wales (registered number
> 01680058).  Our registered office is at Building One, Chiswick Park, 566
> Chiswick High Road, London, W4 5BE.
>
> _____________________________________________________________________
> This e-mail has been scanned for viruses by MessageLabs.
>
> --
> To unsubscribe send an email with subject unsubscribe to [email protected].
> Please contact [email protected] for questions.
>



-- 
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org

Reply via email to