/ Zope / Apsis / Pound Mailing List / Archive / 2004 / 2004-04 / Client Certificate

[ << ] [ >> ]

[ 501 errors on pound 1.7 / ihernandez(at)cinemasoft... ] [ Output logs to file option / Shinji Tanaka ... ]

Client Certificate
"Alex Kang" <deyank(at)mmodal.com>		 2004-04-23 20:08:29 [ FULL ] 
Hi List,

I have a question about the client certificate. I tried to use CAList to
limit what CAs are acceptable to Pound but without any luck. Here is my
config file

ListenHTTP 192.168.128.150,81
ListenHTTPS 192.168.128.150,11022 /usr/local/etc/pound/verisign.pem
CAlist /usr/local/etc/pound/client.pem 1
Client 15
Alive 60
LogLevel 2
UrlGroup ".*"

BackEnd 192.168.128.109,8009,1
BackEnd 192.168.128.112,8009,1

What I observe is that a client without a client-certificate can access
pound freely. 
If I add another line : HTTPSHeaders 1 ""   before CAList, pound simply
denies all connection attempts.
The content of the client.pem (acquired from VeriSign) is: 
-----BEGIN CERTIFICATE-----
MIIDMDCCAtqgAwIBAgIQbiUheadZuTKL1AB5tuuxeDANBgkqhkiG9w0BAQUFADCB
qTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWdu
xxx
-----END CERTIFICATE-----

Any suggestion? Thank you very much,


Alex Kang
Re: Client Certificate
Robert Segall <roseg(at)apsis.ch>		 2004-04-26 12:09:53 [ FULL ] 
On Fri, 2004-04-23 at 20:08, Alex Kang wrote:[...]
...snip...[...]

You seem to have a slight misunderstanding about this: CAlist is just a
list of CA's that is sent to the client as "acceptable". It is up to the
client to choose which certificate to send - it may have more than one.
If the client has no such certificate it sends none, thus failing the
"HTTPSHeaders 1".

Please note that the CAlist has nothing to do with Pound itself - you
would still have to check which certificate was presented by the client.[...]
MailBoxer