I had thought the use case for CertDir was to use SNI… CAList and VerifyList have to do with client certificates… so it wouldn’t seem to match the use case.
If you’re talking about CAList and VerifyList… Those calls look different. Looks like it sets the list with a single call to SSL_CTX_set_client_CA_list or SSL_CTX_load_verify_locations… It’s not a linked list like SNI certs are. Inherently the CAList and VerifyList directives take a file with multiple certificates in it, so you could easily create such a combined file (i.e. cas.pem) with cat (cat ca.d/*.pem > cas.pem) or similar. Joe From: Jean-Pierre van Melis [mailto:[email protected]] Sent: Friday, December 14, 2012 7:02 AM To: '[email protected]' Subject: AW: [Pound Mailing List] Re: Certificates in a folder That's great.... Thanks!!! But is an equivalent for CA's not required? -----Oorspronkelijk bericht----- Afzender: Joe Gooch <[email protected]<mailto:[email protected]>> Verstuurd: Donderdag 13 December 2012 20:59 Aan: '[email protected]' <[email protected]<mailto:[email protected]>> Onderwerp: RE: [Pound Mailing List] Re: Certificates in a folder https://github.com/goochjj/pound/commits/stage_for_upstream/v2.7b Now has a CertDir directive. Joe From: Jean-Pierre van Melis [mailto:[email protected]] Sent: Tuesday, December 11, 2012 5:14 AM To: [email protected]<mailto:[email protected]> Subject: FW: [Pound Mailing List] Re: Certificates in a folder > Pound doesn't have information which certificate should use on which listener. I don't want to specify a global folder, but I want to specify a folder for each listener. One folder for the CA's and one for the certificates. There I can place all the different certificates. I am using SNI (Server Name Indication), which means I can have more than 1 certificate on 1 listener. Because you might not need it, you are not thinking of that. Cheers -----Oorspronkelijk bericht----- Afzender: Andrzej Dopierała <[email protected]<mailto:[email protected]>> Verstuurd: Zondag 9 December 2012 18:04 Aan: [email protected]<mailto:[email protected]> Onderwerp: Re: [Pound Mailing List] Re: Certificates in a folder W dniu 09.12.2012 14:52, Jean-Pierre van Melis pisze: Can't we get an update on this? If this is possible I don't have to write a script for this. what do you mean? do you want to use default path to certificates to specify only: Cert "cert1.pem" in config? if yes - it's enough to run pound from this directory: wwwlb:/etc/ssl/certs# grep test.pem /etc/pound/pound.cfg #Cert "/etc/ssl/certs/test.pem" Cert "test.pem" wwwlb:/etc/ssl/certs# /usr/sbin/pound starting... wwwlb:/etc/ssl/certs# ps auxwwf |grep -i pound www-data 27745 0.0 0.0 4180 644 ? Ss 16:49 0:00 /usr/sbin/pound www-data 27746 0.0 0.0 4692 632 ? Sl 16:49 0:00 \_ /usr/sbin/pound but - if you wish to just put directory and you want to pound select certificates himself - it's impossible. Pound doesn't have information which certificate should use on which listener. -------- Oorspronkelijk bericht -------- Van: Jean-Pierre van Melis <[email protected]><mailto:[email protected]> Datum: Aan: "'[email protected]'"<mailto:'[email protected]'> <[email protected]><mailto:[email protected]> Onderwerp: Certificates in a folder AFAIK we need to specify the full path of certificates in the pound.cfg using multiple directives called "Cert". For management purposes it would be great if we could specify a folder there and all certificates are parsed and used. -- Regards, Andrzej 'The Undefined' Dopierała http://andrzej.dopierala.name/
