This is to announce the release of Pound v1.6.

Changes in this version:

- Callback for RSA ephemeral keys:
    - generated in a separate thread
    - used if required
  this will allow certain versions of IE to work correctly with Pound/SSL.

- New X-SSL-cipher header encryption level/method
- Added CheckURL parameter in config file
    - perform syntax check only if value 1 (default 0)
- Allow for empty query/param strings in URL syntax
- Additional SSL engine loading code
- Added parameter for CA certificates
    - CA list is sent to client
- Verify client certificates up to given depth
- Fixed security vulnerability in syslog handling

The reason foe this rather hasty announcement: a security vulnerability was 
brought to my attention (many thanks to Akira Higuchi). Everyone running any 
previous version should upgrade to 1.6 immediately - the vulnerability may 
allow a remote exploit. No exploits are currently known and none have been 
observed in the wild till now. The danger is minimised if you run Pound in a 
root jail and/or you run Pound as non-root user.

Enjoy and let me know how it works for you.[...]

> This is to announce the release of Pound v1.6.[...]

Hi,

I'm using pound in front of a squirrelmail server. After upgrading to 1.6
from 1.5, authentication doesn't work anymore with https so login is not
possible. Non SSL works fine. I have only one backend server and the
config on my test installation looks as simple as this:

User nobody
Group nobody
RootJail /usr/share/pound
ListenHTTP *,80
ListenHTTPS *,443 /usr/share/ssl/certs/pound.pem
ExtendedHTTP 1

# Catch-all server(s)
UrlGroup ".*"
BackEnd 10.1.6.25,80,1
EndGroup

Running 1.5 with the same config has no problem at all. Did I miss
something ?

Thanks,
Simon

On 01/12/03, Simon Matter wrote:

| Hi,
| 
| I'm using pound in front of a squirrelmail server. After upgrading to 1.6
| from 1.5, authentication doesn't work anymore with https so login is not
| possible. Non SSL works fine. I have only one backend server and the
| config on my test installation looks as simple as this:

I, too, have seen issues with SSL and authentication (or perhaps it
is something to do with form posting / submits and the way that is
handled).

If I go back to the previous version (1.3 in my case), the problem is
not evident.

Will be glad to help debug.

Cheers.
[...]

I have also a problem with the new version 1.6

My test setup is a test to do Outlook webaccess via pound.

If I install version 1.6 I receive with a SEARCH command a error 400 
When I install 1.5 everything is working 100%

What I remember when we were implementing the webaccess part is that this is
the function where a request is keeping sending stuff instead of a nice end.
We changed at that time the code that it would send it through and it looks now
that code is gone...

Regards,

Luuk

----- Oorspronkelijk bericht -----
Van: Simon Perry <scperry(at)deakin.edu.au>
Datum: maandag 1 december 2003 om 10:31 uur
Onderwerp: Re: ANNOUNCE: Pound - reverse proxy and load balancer - v1.6
[...]

Here some extra info about my problem:

if running Pound 1.5 and the same request is done the entry is logged as:

SEARCH /exchange/luuk.de.boer/Inbox/ HTTP/1.1 - HTTP/1.1 207 Multi-Status 

and what I know is that we made some special changes for the multi status
requests.

Luuk

----- Oorspronkelijk bericht -----
Van: Simon Perry <scperry(at)deakin.edu.au>
Datum: maandag 1 december 2003 om 10:31 uur
Onderwerp: Re: ANNOUNCE: Pound - reverse proxy and load balancer - v1.6
[...]

I tested some things with tcpwatch to find out what the problem was and it
looks like the X-SSL-cipher header isn't correct

Pound 1.5 is ending the request header like this:

==>Authorization: Basic RVRYXGx1dWtiOkMwOHJhNDI4
==>Front-End-Https: on
==>X-Forwarded-For: 192.168.128.129
==>

Pound 1.6 is ending the request header like this:

==>Authorization: Basic RVRYXGx1dWtiOkMwOHJhNDI4
==>Front-End-Https: on
==>X-SSL-cipher: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA 
Enc=RC4(128)  Mac=MD5 
==>
==>X-Forwarded-For: 192.168.128.129
==>

As no C programmer I did the following to http.c :

< //            if((cipher = SSL_get_current_cipher(ssl)) != NULL) {
< //                SSL_CIPHER_description(cipher, buf, MAXBUF);
< //                if(BIO_printf(be, "X-SSL-cipher: %s\r\n", buf) <= 0)
{
< //                    logmsg(LOG_WARNING, "error write X-SSL-cipher to
%s:%hd: %s",
< //                        inet_ntoa(srv->sin_addr),
ntohs(srv->sin_port), strerror(errno));
< //                    err_reply(cl, h500, e500);
< //                    BIO_free_all(bb);
< //                    clean_all();
< //                    pthread_exit(NULL);
< //                }
< //            }

Basically outcommenting the print of the header line if I understand the code
...

Now Pound 1.6 is working for me again ...

Hope this helps a bit robert.


Luuk


----- Oorspronkelijk bericht -----
Van: luuk(at)wxs.nl
Datum: maandag 1 december 2003 om 18:10 uur
Onderwerp: Re: ANNOUNCE: Pound - reverse proxy and load balancer - v1.6
[...]

On Monday 01 December 2003 18:49, luuk(at)wxs.nl wrote:[...]
Try just removing the \r\n from:
if(BIO_printf(be, "X-SSL-cipher: %s\r\n", buf) <= 0) {

I guess buf already contains the line ending...
[...]
[...]

On Tuesday 02 December 2003 03:18, Felix Buenemann wrote:[...]

I put an updated -current on the Web site to fix this. The "official" fix is 
to do a strip_eol() on the buffer returned from SSL_CIPHER_description().

The problem is that some versions of OpenSSL append a \n to the returned 
string.

Thanks for the info.[...]

The new current one is working for me.

Thanks robert

Luuk

----- Oorspronkelijk bericht -----
Van: Robert Segall <roseg(at)apsis.ch>
Datum: dinsdag 2 december 2003 om 12:30 uur
Onderwerp: Re: ANNOUNCE: Pound - reverse proxy and load balancer - v1.6
[...]