Hi All,

We're currently using "unsecured" Pound as a Reverse Proxy for our website but
are now interested in securing the website.  Are there any considerations we
need to be aware of when applying for a Certificate from Verisign or thawte? 
For example, on thawte's certificate purchase page, the customer is asked to
specify which web server will host the secured site. If the server to be used
is not in their dropdown list, they specify to select "Other server software"
and enter the name of the product in a text box.  Is it sufficient in our case
to select "Other server software" and enter "Pound" in the text box?  Is there
any other information that we should supply or requests we should make to these
vendors in order to ensure our transition to "secured" Pound is as
straightforward as possible?  Any help would be much appreciated.

Thanks in advance,

Ron Turner

Hello,

I just went round and round with Verisign for about 5 months and never 
got it working....

Here's the story.

I had a Verisign 128bit certificate working with Pound problem-free 
for 7-8 months... then Verisign introduced an intermediate certificate 
to the process... in other words... they moved their certificate 
serving mechanism and required all of their users to "patch" their SSL 
with an intermediate certificate.  Verisign had no idea what Pound is, 
and on their telephone support, they will try to treat you like an 
Apache user, since OpenSSL means Apache in their telephone support 
handbook.  Anyway, After 5 months of asking questions, trying new 
things, bugging folks here and on the OpenSSL mailing list, I did 
finally install their intermediate certificate and certificate chain, 
it worked with IE, not with Mozilla... puzzling me, and my generous 
benefactors on the OpenSSL list.   I concluded Verisign was at fault, 
(after 5 mos), and got a new SSL provider.

Solution:

I got a new SSL 128bit certificate with a direct chain, no 
intermediate certs.  We are no longer Versign customers... I should 
have known better, Verisign cant seem to get any aspect of their 
business working correctly... try changing company name on a Verisign 
registered domain after a merger... but I digress.

We run a Red Hat AS 2.1 Server on a commodity box, and Load 
Balance/Rev Proxy a rather large WebSphere 5.1 based Web App on ports 
80 & 443.

My new certificate is from FreeSSL.com, it was a ~$40 128bit 
certificate, automated CSR process... and works better than the 
Verisign $800/yr variety... none of my customers are the wiser... 
128bit is 128bit, the only difference was 3rd party verification with 
Dun&Brad, a pain anyways.

On Linux, I highly recommend the OpenSSL chapter of O'Reilly's Linux 
Security Cookbook, on http://safari.oreilly.com.  It has all of
the 
commands needed to carry out your plan.

If you decide to go forward, write me, I'll help you... I'd like to 
pay-it-forward for the folks who helped me through.

Pound is well worth the effort... the proprietary alternatives are 
costly and inflexible.

Good Luck,

-Jon
cyrj(at)cyr.info

Ron Turner wrote:
[...]

Hi Jon,

Thanks very much for your candid recollection of your "journey" with
Verisign!  Thanks, as well, for your offer of assistance - I'll definitely
take you up on it as we move forward with this.

Best regards,

Ron

----- Original Message ----- 
From: "Jonathan Cyr" <cyrj(at)cyr.info>
To: "Ron Turner" <ron(at)virtual-vendor.com>
Cc: <pound(at)apsis.ch>
Sent: Thursday, June 03, 2004 4:41 PM
Subject: Re: Certificate Purchase and Pound

[...]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ron Turner wrote:
| considerations we need to be aware of when applying for a Certificate
| from Verisign or thawte?  For example, on thawte's certificate purchase

http://www.instantssl.com/ works fine
for us.

| they specify to select "Other server software" and enter the name of the
| product in a text box.  Is it sufficient in our case to select "Other
| server software" and enter "Pound" in the text box?  Is there any other

Use Apache/mod_ssl and then make the pem-File for pound.

Regards
ritze
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAwDpSGyZFNhKyFs4RAmnYAJ9zH8oE7frmbvoNHNbeS2g035EvWQCfZJP9
+yvPdzB10cb2Y1R39HI1BU0=
=3tGd
-----END PGP SIGNATURE-----

Thanks for the advice, Thomas.  We'll check out both freeSSL and instantSSL.

Best regards,

Ron

----- Original Message ----- 
From: "Thomas Ritz" <info(at)ritze.com>
To: <pound(at)apsis.ch>
Sent: Friday, June 04, 2004 2:01 AM
Subject: Re: Certificate Purchase and Pound

[...]

Hi There,

I had a real problem with Verisign, and never got it fully working, 
Mozilla wouldn't take it but IE would.

I thrashed with it for months, so maybe I screwed up Versign's web 
system with the multiple CSRs that I submitted, who knows.

Anyway, Pound supports Intermediate Certificates and full chains... 
here's my suggestions.

1) Get Pound working correctly with a Self-Signed Certificate first, 
ensure Pound loads, runs, and resolves certificates.  There's a single 
  OpenSSL command in the Pound man pages that will create the .pem 
combo file (decoded key/cert).  Make Pound work with that, and Pound 
is no longer the problem.  Unfortunately when Pound chokes on an 
incorrectly formated certificate combo file, it doesn't give much 
feedback.  Set your settings for the rev-proxy with this self-signed 
setup.

2) My final config that worked with IE (not Mozilla) was...
     - My Decoded Private Key
     - Verisign's Certificate that they sent me after my CSR submission
     - The generic Intermediate Certificate that you can download from 
Versign's help website.  Any SSL setup would use the same intermediate 
certificate
     - Finally a Certificate Authority .pem file included with 
OpenSSL,  I think its called vsign3.pem, may be slightly different but 
definately 3 for a Class 3 certificate

I had them in the preceding order, all four in sequence in one .pem 
file, when they're in the right order, Pound will start and run... 
otherwise it will exit in the logs (fgrep pound /var/log/messages)

I alternated between this and removing the vsign3.pem from the combo 
file .pem and pointing to it separately in the Pound config file, the 
calist directive, I think.

3) My final piece of advice... stay away from Verisign if you can... 
I've dealt with them and the Network Solutions from a Technical as 
well as Administrative perspective for 5-7 years.  Every time, I've 
needed them, they've let me down, in a big way, in front of my 
customers.  I've learned my lesson.  Verisign is obviously the 
premiere vendor, but their horrible.  Use any other one, maybe Thawte, 
their very big....

I moved to a "no-name" provider called FreeSSL.com, their certificates 
    have been included with all of the browsers for 5 or so years, for 
seamless usage.  I believe back to IE3.  Old or strange browsers will 
just prompt for acceptance.

The Mozilla problem stumped the leaders of the OpenSSL mailing list, 
the guy I contacted was an author, Dr. Henson, he couldn't explain the 
problem and frankly wasn't familiar with Pound and its implementation 
of the OpenSSL Dev Toolkit.

At that point I discarded Verisign... My setup was working in one 
hour, $40.00 and a automated CSR submission process.  I have big 
customers who can't tell the difference, 128bit encryption is 128bit 
encryption, and any third party SSL will do.

Good Luck,

-Jon


Kenneth Kangethe wrote:[...]