On 1/4/2013 5:44 AM, James Bensley wrote:
Howdy All,
I am having an issue with Pound and SSL which I can't seem to
overcome. The SSL sites I have behind pound work fine in all my
browsers (IE/FF/GC etc) but some mobile devices for example throw up a
certificate error. I am getting the following error when trying to
debug;
openssl s_client -showcerts -connect mysite.com:443 -debug
Verify return code: 21 (unable to verify the first certificate)
This is a red herring. The machine you're running openssl s_client from
doesn't have the particular root cert in the trusted list.
My understanding is that this is because Pound is not offering up the
entire certificate chain during the SSL handshake, however in my
pound.cfg I have;
Cert "/etc/ssl/certs/mysite.com.pem"
This .pem file contains (in the following order);
-site private key
-public cert
-issuers cert
-root ca cert
This is all correct.
So is pound not offering these all out upon initiation of an SSL
connection even though I have put them in there, and I somehow need to
tell it to do so; O is this something I need to configure else where
in the config file?
I've seen this as well when working with certain mobile clients (android
in particular). It's not a pound issue but a client issue in validating
the certificates. Are you using wildcard certificates by chance? If so
try using a vanilla cert and see if that fixes the issue - it did for me.
Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/
--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.
