I have figured this out over the last day or so. It was a pain. The backend site I am trying to access is RSA authentication manager 7. First I had problems with OpenSSL 1.0.1 negotiating TLSv1.2/TLSv1.1, which is incompatible with the backend site. I downgraded to Ubuntu 11.10 to try and avoid compiling / dependency issues but still no luck. A bunch of searching led me to this post which shows the authentication manager site will only respond to a single specified cipher (RC4-SHA): http://comments.gmane.org/gmane.comp.encryption.openssl.user/42526. I tried to update the cipher list in the pound.cfg but kept receiving handshake errors. I then realized that the cipher list only seems to apply to pound's HTTPS listener, and not its client connections to the backend server. At wits end, I download latest pound 2.6 source code and reviewed it, and was able to add (quick and dirty) this line to the BACKEND code in config.c in a few key spots:
SSL_CTX_set_cipher_list(res->ctx, "RC4-SHA"); Recompiled and restarted pound, and I could now access the site successfully. Sadly I them came across the fact that the site needs URL rewriting to be proxied properly (grr) It would be nice if Pound could accept more configuration options regarding its use of OpenSSL. Jonathan Galentine Chief Technology Officer 7900 Westpark Dr, Ste A50, McLean, VA 22102 Office: (703) 891-0131 x304 | Fax: (703) 891-0129 [email protected]<mailto:[email protected]> | www.ntiva.com<http://www.ntiva.com/> From: Jonathan Galentine Sent: Monday, November 26, 2012 8:46 PM To: '[email protected]' Subject: Trouble accessing backend server over HTTPS that has a self signed certificate Hi, I am trying to configure Pound to act as a reverse HTTPS proxy for a HTTPS server behind a firewall. The server that I am trying to access in the backend has a self-signed certificate, and causes Pound to return that it is unavailable. In the system log it reports a handshake failure. I am running Ubuntu 12.04 LTS, and was able to add the self-signed certificates to openssl's trusted ca-certificates (following Ubuntu's instructions) and I am no longer prompted an error when browsing the backend server using Lynx. Is there something that I'm missing? I've search and can't find any information regarding self-signed certificates or how Pound interacts with root certificates. Configuration: ListenHTTPS Address 192.168.0.187 Port 7004 Cert "/etc/ssl/local.server.pem" Service BackEnd Address sanitized.local Port 7004 HTTPS End End End Syslog error: pound: BIO_do_handshake with 192.168.0.22:7004 failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure Jonathan Galentine Chief Technology Officer 7900 Westpark Dr, Ste A50, McLean, VA 22102 Office: (703) 891-0131 x304 | Fax: (703) 891-0129 [email protected]<mailto:[email protected]> | www.ntiva.com<http://www.ntiva.com/>
