Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get certificate

[Francoise Dehinbo]

But port 80 is already in use by perlbal for HTTP so pound won't start up!

From: Scott McKeown <sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>
Reply-To: "pound@apsis.ch<mailto:pound@apsis.ch>" 
<pound@apsis.ch<mailto:pound@apsis.ch>>
Date: Thursday, 20 September 2012 12:30
To: "pound@apsis.ch<mailto:pound@apsis.ch>" 
<pound@apsis.ch<mailto:pound@apsis.ch>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get 
certificate

Hi Francoise,

OK think I've got it now. Try something like this:


User    "nobody"
Group   "nobody"
LogLevel 1

ListenHTTPS
    Address xxx.xxx.xxx.xxx
    Port    443
    Cert    "/etc/pound/dev.pem"
    Ciphers 
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"
    AddHeader "X-Secure-Connection: true"
    Service
        BackEnd
            # Send everything PSGI apps
            Address 127.0.0.1
            Port    5555
        End
    End
End
ListenHTTP
    Address xxx.xxx.xxx.xxx
    Port    80
    Service
        BackEnd
            Address 127.0.0.1
            Port    5555
        End
    End
End

This should stop the looping and catch anything that is HTTP and display as 
normal. If you want for FORCE HTTP traffic to HTTPS the Redirect option should 
work

~Scott


On 20 September 2012 12:08, Francoise Dehinbo 
<francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>> wrote:
Hi Scott,

We use Perl 5.10, Catalyst and Plack/PSGI for the back end servers.  Pound is 
used for https and Perlbal for http front ends.

So Pound config is something like:

User    "nobody"
Group   "nobody"

LogLevel 1

ListenHTTPS

    Address xxx.xxx.xxx.xxx
    Port    443
    Cert    "/etc/pound/dev.pem"
    Ciphers 
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"

    AddHeader "X-Secure-Connection: true"

    Service
        BackEnd
            # Send everything PSGI apps
            Address 127.0.0.1
            Port    5555
        End
    End

End

I haven't applied the DisableSSLv2 patch yet.  But going from an https to any 
non secure page ends up in an infinite loop.

Using Firefox or even Safari returns something like:

Firefox has detected that the server is redirecting the request for this 
address in a way that will never complete.


From: Scott McKeown 
<sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>>
Reply-To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>
Date: Thursday, 20 September 2012 10:54
To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get 
certificate

Hi Francoise,

I'm going to take a guess here but your pound.cfg should look something like 
this for a basic redirection from HTTP to HTTPS (well this works well for me 
but I'm sure others may know of another/better way to do this)


User    "nobody"
Group    "nobody"
LogLevel    1
LogFacility    local3
Client    30
TimeOut    60
ListenHTTPS
    Address xxx.xxx.xxx.xxx
    Port 443
    xHTTP 3
    Cert "/etc/pound/ucc01.pem"
    ReWriteLocation 1
    Ciphers "RC4:HIGH:!MD5:!aNULL"
    SSLHonorCipherOrder 1
    SSLAllowClientRenegotiation 0
    DisableSSLv2
    Service
        HeadRequire "Host: *support.*"
        BackEnd
            Address 172.16.0.40
            Port 80
            TProxy 1
        End
    End
End
ListenHTTP
        Address xxx.xxx.xxx.xxx
        Port 80
        xHTTP 3
        ReWriteLocation 1
        Service
                HeadRequire "Host: *support.*"
                Redirect "[https full address goes here]" #eg 
https://google.co.uk
        End
End


~Yours,
Scott


On 20 September 2012 10:36, Francoise Dehinbo 
<francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>>>
 wrote:
Hi Scott,

I hope you can help me again.  Since upgrading to pound 2.6 as discussed 
previously, we are having trouble re-directing a user from https to http.  But 
if I downgrade pound back to 2.5 and refresh it works fine.  I am not all 
familiar with how pound works.  Do you have any recommendations on where to 
look first?

Many thanks.

Francoise

From: Scott McKeown 
<sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>>>
Reply-To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>
Date: Wednesday, 19 September 2012 12:01
To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get 
certificate

Hi Francoise,

Your more thank welcome.
On a side note you may also like the DisableSSLv2 Patch which can be found here:
http://www.apsis.ch/pound/pound_list/archive/2012/2012-01/1327928733000

This will remove the need for the '!SSLv2' option in your Ciphers List line.


~Scott


On 19 September 2012 11:51, Francoise Dehinbo 
<francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>>>>
 wrote:
Hi Scott,

It worked fine once I switched it to the live certificate instead of the 
self-signed one used for testing.

Much appreciated.

Francoise

From: Scott McKeown 
<sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org><mailto:sc...@loadbalancer.org<mailto:sc...@loadbalancer.org>>>>>
Reply-To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>>
Date: Wednesday, 19 September 2012 10:40
To: 
"pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>"
 
<pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>>
Subject: Re: [Pound Mailing List] BEAST attack patch for Pound 2.6 cannot get 
certificate

Hi Francoise,

This looks more like a Certificate issue than a Pound issue.
What type of certificate have you created?
I would have another go at creating the PEM file myself and if you have paid 
for a certificate from a CA you may need the intermediate and root chains.
This site is a good reference on the creation of the PEM files.
http://www.digicert.com/ssl-support/pem-ssl-creation.htm
9 time out of 10 I would use the full PEM file listed right at the bottom of 
the page.

~Yours,
Scott


On 19 September 2012 10:11, Francoise Dehinbo 
<francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>>><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk><mailto:francoise.dehi...@foxtons.co.uk<mailto:francoise.dehi...@foxtons.co.uk>>>>>
 wrote:
Hi All,

My OS is debian squeeze which have Pound version 2.5 installed. I downloaded 
the latest stable version 2.6 from
http://www.apsis.ch/pound/Pound-2.6.tgz and
applied the BEAST attack patch from
https://github.com/goochjj/pound/commit/2f69c71b0314538f2a6218f624bdd2b954e5dbc8.patch

After installing 2.6 and start up pound (as root), it fails with the following 
error:

/etc/pound/pound.cfg line 15: ListenHTTPS: could not get certificate CN

Line 15 is:
Cert    "/etc/pound/dev.pem"

But /etc/pound/dev.pem does exist so I don't understand why it cannot read it:

>ls -la /etc/pound/dev.pem
-rw-r--r-- 1 root root 1.9K May 22 15:29 /etc/pound/dev.pem

Here is my config for pound:

User    "web"
Group   "web"

# If the backend disappears check for it to come back every 'Alive' seconds.
Alive 5

# no logging of individual requests
# start up etc errors are still logged to daemon.log
LogLevel 2

ListenHTTPS

    Address 0.0.0.0
    Port    443
    Cert    "/etc/pound/dev.pem"
    Ciphers
"ALL:!aNULL:!ADH:!eNULL:!EXPORT56:RC4+RSA:HIGH:MEDIUM:!LOW:!SSLv2:!EXP:!eNUL:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5:!EXP-DES-CBC-SHA:!EXP-RC2-CBC-MD5:!EXP-RC4-MD5"

    AddHeader "X-Secure-Connection: true"

    Service
        BackEnd
            Address 127.0.0.1
            Port    6000
        End
    End

End

Any help would be greatly appreciated.

Many thanks

Francoise

Privacy and Confidentiality Notice:

This is strictly confidential and intended solely for the person or 
organisation to whom it is addressed. It may contain privileged and 
confidential information and if you are not an intended recipient, you must not 
copy, distribute or take any action in reliance on it. If you have received 
this message in error, please notify us as soon as possible and delete it and 
any attached files from your system.
The views and opinions expressed in this email message are the author's own and 
may not reflect the views and opinions of the author's employer.

Foxtons Limited is registered in England and Wales (registered number 
01680058).  Our registered office is at Building One, Chiswick Park, 566 
Chiswick High Road, London, W4 5BE.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

--
To unsubscribe send an email with subject unsubscribe to 
pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>>.
Please contact 
ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>>>
 for questions.



--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org


_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

Privacy and Confidentiality Notice:

This is strictly confidential and intended solely for the person or 
organisation to whom it is addressed. It may contain privileged and 
confidential information and if you are not an intended recipient, you must not 
copy, distribute or take any action in reliance on it. If you have received 
this message in error, please notify us as soon as possible and delete it and 
any attached files from your system.
The views and opinions expressed in this email message are the author's own and 
may not reflect the views and opinions of the author's employer.

Foxtons Limited is registered in England and Wales (registered number 
01680058).  Our registered office is at Building One, Chiswick Park, 566 
Chiswick High Road, London, W4 5BE.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

--
To unsubscribe send an email with subject unsubscribe to 
pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>><mailto:pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>>.
Please contact 
ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>>
 for questions.



--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org


_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

Privacy and Confidentiality Notice:

This is strictly confidential and intended solely for the person or 
organisation to whom it is addressed. It may contain privileged and 
confidential information and if you are not an intended recipient, you must not 
copy, distribute or take any action in reliance on it. If you have received 
this message in error, please notify us as soon as possible and delete it and 
any attached files from your system.
The views and opinions expressed in this email message are the author's own and 
may not reflect the views and opinions of the author's employer.

Foxtons Limited is registered in England and Wales (registered number 
01680058).  Our registered office is at Building One, Chiswick Park, 566 
Chiswick High Road, London, W4 5BE.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

--
To unsubscribe send an email with subject unsubscribe to 
pound@apsis.ch<mailto:pound@apsis.ch><mailto:pound@apsis.ch<mailto:pound@apsis.ch>>.
Please contact 
ro...@apsis.ch<mailto:ro...@apsis.ch><mailto:ro...@apsis.ch<mailto:ro...@apsis.ch>>
 for questions.



--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org


_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

Privacy and Confidentiality Notice:

This is strictly confidential and intended solely for the person or 
organisation to whom it is addressed. It may contain privileged and 
confidential information and if you are not an intended recipient, you must not 
copy, distribute or take any action in reliance on it. If you have received 
this message in error, please notify us as soon as possible and delete it and 
any attached files from your system.
The views and opinions expressed in this email message are the author's own and 
may not reflect the views and opinions of the author's employer.

Foxtons Limited is registered in England and Wales (registered number 
01680058).  Our registered office is at Building One, Chiswick Park, 566 
Chiswick High Road, London, W4 5BE.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

--
To unsubscribe send an email with subject unsubscribe to 
pound@apsis.ch<mailto:pound@apsis.ch>.
Please contact ro...@apsis.ch<mailto:ro...@apsis.ch> for questions.



--
With Kind Regards.

Scott McKeown
Loadbalancer.org
http://www.loadbalancer.org


_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

Privacy and Confidentiality Notice:

This is strictly confidential and intended solely for the person or 
organisation to whom it is addressed. It may contain privileged and 
confidential information and if you are not an intended recipient, you must not 
copy, distribute or take any action in reliance on it. If you have received 
this message in error, please notify us as soon as possible and delete it and 
any attached files from your system. 
The views and opinions expressed in this email message are the author's own and 
may not reflect the views and opinions of the author's employer.

Foxtons Limited is registered in England and Wales (registered number 
01680058).  Our registered office is at Building One, Chiswick Park, 566 
Chiswick High Road, London, W4 5BE.

_____________________________________________________________________
This e-mail has been scanned for viruses by MessageLabs.

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact ro...@apsis.ch for questions.