Is your purpose to have Pound be a load balancer, or just a security gateway? (I would think BOA could do client certificates)
SSL has two parts (regardless of the server on the other end) Server Authentication - Server has a certificate + private key, which is trusted by some third party (usually a trusted third party, unless you go with a self-signed cert, or an internal certificate authority) The client determines if it will trust the server based on the certificate's signature(s). Client requires no private key in this scenario. See also: Cert HostCert CAlist CRLlist Client Authentication - Client has a certificate + private key. The server decides if it will trust the client based on the client certificate's signature(s). The server must do server authentication also - otherwise, SSL negotiation never happens. See also: ClientCert VerifyList In general there are two ways to verify a client: 1) Trust individual certs - in which case you need an entire list of every valid certificate 2) Trust the signer of the client's cert - in which case you just need the CA certificate For instance, stunnel provides both of these - through the verifyPeer(1) and verifyChain(2) options. Also note that some systems may, after trusting the certificate, map the certificate's subject or parameters to an identity for authentication purposes - which Pound supports by passing the information using the X-SSL-Certificate header. (For instance, with my OpenVPN certs - the CN is always the username) I believe pound only supplies trust option #2. Which means to do what you want to do, you need to create a certificate authority. The OpenSSL library can be used to do this. (This is what I do, for instance, for OpenVPN client certificates) See http://www.octaldream.com/scottm/talks/ssl/opensslca.html You create a certificate authority. You have Pound trust that authority (through VerifyList), and you issue certificates signed by that authority. Any certificate signed by that authority is valid. If you are a windows shop, you can certainly use a windows CA for this purpose instead, or really, any CA package. There are a bunch out there.. EJBCA, etc.. Google for Private CA GUI and you'll find them. In this case for your authentication you *want* to use a private ca in VerifyList. If you put something like DigiCert in your VerifyList, anyone who pays digicert for a certificate can authenticate as a client. The security comes from the security and privacy of your CA private key, and your issuing of client certificates through it. If you're looking for trust option #1, you may want to look into something like stunnel with verifyPeer. You maintain a local directory which each valid certificate, sorted by the fingerprint of the certificate. It's not truly a HTTP proxy, nor will it provide HTTP level headers, but it could provide verification. Alternatively, if you don't need load balancing, you may not need pound at all, and you might be able to configure BOA for this. Apache and Nginx both have options for client certs, along with SSL features Pound doesn't have, like OCSP stapling. http://blog.nategood.com/client-side-certificate-authentication-in-ngi https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html Joe On 3/17/17, 5:35 PM, "warren perdue" <[email protected]> wrote: >Hey everyone, > >I need your help with trying to setup my Pound on an Linux embedded system. >What I want to do is have pound only accept a certificate that I give the >user. I will place the key as a private key on my machine and will give the >user the certificate. They will then have to add that certificate to their >browser so that they can access Pound. > >I understand Pound needs an initial PEM to send out. But I do not want to >accept that PEM. I want to send them the Certificate to place in their browser >or what ever program they will use to access the system and access the system. > >Basically. My plan is to create an different key and certificate with SHA512 >and 4096 Bytes long. Place the key in the private section of Pound. > >Give the certificate to the key to the user and they can use that to access >Pound and my system. > >I am having problems setting Pound up to function in that manner. > >I Am aware of the CAList, Verifylist commands, but what else do i need to add >to my Pound/conf file to make it work?There are many options and not alot of >documentation online supporting pound. If any of you all can help. Please >reply. > >I will also have it working in conjunction with SSL and running BOA as my >web-server if that will help you. I have already compiled the system kernel >and system to use BOA with SSL and also include Pound as a part of its kernel. >I can run pound and have it control access through the listener but I want to >make it super hard to crack or hack my system. > >Warren > >-- >To unsubscribe send an email with subject unsubscribe to [email protected]. >Please contact [email protected] for questions.
