Hi Jon,
You have been simply Great!!! Thanks for assistance... THANKS ONCE
AGAIN!!!WOW!!!
Cheers,
Ken
Jonathan Cyr <cyrj(at)cyr.info> wrote:
[...][...]
>>>rev-proxy, rather than in-between. But I have simple firewall
needs, I
>>>let everything on 80 & 443 into be parsed by Pound.
>>>
>>>I'm using a very simple firewall, only allowing HTTP, HTTPS, &
SSH
>>>traffic... I'm afraid I'm not an HTTP(S) traffic expert.
>>>
>>>My Two Cents. Try putting your firewall outside the
proxy/hub/server,
>>>get through your firewall to a server, then reroute to pound.
>>>
>>>-Jon
>>>
>>>
>>>Kenneth Kangethe wrote:
>>>
>>>
>>>
>>>>Hi
>>>>
>>>>Thanks Jonathan for your speedy response. I was able to view
the
>>>>Verisign cert. and get pound working. Now i am facing another
>>>>interesting problem.
>>>>
>>>>During testing, I had connected my computer and the reverse
proxy on
>>>>to a hub and on the back-end there was a firewall after which,
the
>>>>internal network and my web server were located. Everything
worked
>>>>well and I was able to viewl the website from my computer via
the
>>>>reverse proxy.
>>>>
>>>>The problem appears when I insert a firewall between the
reverse proxy
>>>>and my computer. I can't seem to get to my site. ( I have tried
>>>>setting my firewall to permit all traffic but still... nothing)
Is
>>>>there some routing Issues that I need to tackle? what type of
routes
>>>>am I to put on the reverse proxy so as to permit anyone with
any ip
>>>>address to view my site?
>>>>
>>>>your assistance is greatly appreciated.
>>>>
>>>>- Ken
>>>>
>>>>--------------------------------------------------------------------
>>>>
>>>>
>>>>
>>>>>From: Jonathan Cyr <cyrj(at)cyr.info> >Reply-To:
cyrj(at)cyr.info >To:
>>>>>
>>>>>
>>>>Kenneth Kangethe <ngethek(at)netscape.net> >CC:
pound(at)apsis.ch >Subject:
>>>>Re: Verisign Certificates and Pound >Date: Mon, 07 Jun 2004
14:52:40
>>>>-0400 >MIME-Version: 1.0 >Received: from
smtp.changeip.com
>>>>([63.210.174.75]) by mc11-f39.hotmail.com with Microsoft
>>>>SMTPSVC(5.0.2195.6824); Mon, 7 Jun 2004 11:53:14 -0700
>Received: from
>>>>cyr.info ([166.157.222.29]) by smtp.changeip.com
(whitelabel
>>>>7.1.6) with ASMTP id EYA74436; Mon, 07 Jun 2004 11:52:49
-0700
>>>>
>>>>
>>>>>X-Message-Info: JGTYoYF78jFxG/En32FJkFi0efJSYRk2
>Message-ID:
>>>>>
>>>>>
>>>><40C4B978.2050408(at)cyr.info> >Organization: Cyr
Information Systems
>>>>
>>>>
>>>>>User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
rv:1.6)
>>>>>
>>>>>
>>>>Gecko/20040113 >X-Accept-Language: en-us, en >References:
>>>><2F59EDE2.1A99325B.00205EF6(at)netscape.net>
>In-Reply-To:
>>>><2F59EDE2.1A99325B.00205EF6(at)netscape.net>
>Return-Path: cyrj(at)cyr.info
>>>>
>>>>
>>>>>X-OriginalArrivalTime: 07 Jun 2004 18:53:14.0514 (UTC)
>>>>>
>>>>>
>>>>FILETIME=[B019F720:01C44CC0] > >Hi There, > >I had
a real problem with
>>>>Verisign, and never got it fully working, >Mozilla wouldn't
take it
>>>>but IE would. > >I thrashed with it for months, so maybe
I screwed up
>>>>Versign's web >system with the multiple CSRs that I
submitted, who
>>>>knows. > >Anyway, Pound supports Intermediate
Certificates and full
>>>>chains... >here's my suggestions. > >1) Get Pound
working correctly
>>>>with a Self-Signed Certificate first, >ensure Pound loads,
runs, and
>>>>resolves certificates. There's a >single OpenSSL command
in the
>>>>Pound man pages that will create the >.pem combo file
(decoded
>>>>key/cert). Make Pound work with that, and >Pound is no
longer the
>>>>problem. Unfortunately when Pound chokes on >an incorrectly
formated
>>>>certificate combo file, it doesn't give much >feedback. Set
your
>>>>settings for the rev-proxy with this self-signed >setup.
> >2) My
>>>>final config that worked with IE (not Mozilla) was... >
- My
>>>>Decoded Private Key > - Verisign's Certificate that they
sent me
>>>>after my CSR >submission > - The generic Intermediate
Certificate
>>>>that you can download >from Versign's help website. Any SSL
setup
>>>>would use the same >intermediate certificate > -
Finally a
>>>>Certificate Authority .pem file included with >OpenSSL, I
think its
>>>>called vsign3.pem, may be slightly different >but definately
3 for a
>>>>Class 3 certificate > >I had them in the preceding order,
all four in
>>>>sequence in one .pem >file, when they're in the right order,
Pound
>>>>will start and run... >otherwise it will exit in the logs
(fgrep pound
>>>>/var/log/messages) > >I alternated between this and
removing the
>>>>vsign3.pem from the combo >file .pem and pointing to it
separately in
>>>>the Pound config file, >the calist directive, I think. >
>3) My final
>>>>piece of advice... stay away from Verisign if you can...
>I've dealt
>>>>with them and the Network Solutions from a Technical as
>well as
>>>>Administrative perspective for 5-7 years. Every time, I've
>needed
>>>>them, they've let me down, in a big way, in front of my
>>>>
>>>>
>>>>>customers. I've learned my lesson. Verisign is obviously
the
>>>>>premiere vendor, but their horrible. Use any other one,
maybe
>>>>>Thawte, their very big.... > >I moved to a "no-name"
provider called
>>>>>
>>>>>
>>>>FreeSSL.com, their >certificates have been included with
all of the
>>>>browsers for 5 or >so years, for seamless usage. I believe
back to
>>>>IE3. Old or >strange browsers will just prompt for
acceptance. > >The
>>>>Mozilla problem stumped the leaders of the OpenSSL mailing
list, >the
>>>>guy I contacted was an author, Dr. Henson, he couldn't explain
>the
>>>>problem and frankly wasn't familiar with Pound and its
>implementation
>>>>of the OpenSSL Dev Toolkit. > >At that point I discarded
Verisign...
>>>>My setup was working in one >hour, $40.00 and a automated
CSR
>>>>submission process. I have big >customers who can't tell
the
>>>>difference, 128bit encryption is 128bit >encryption, and any
third
>>>>party SSL will do. > >Good Luck, > >-Jon > >
>Kenneth Kangethe wrote:
>>>>
>>>>
>>>>>>Hi Jonathan Cyr, >> >>I have just read the
experiences that you went
>>>>>>
>>>>>>
>>>>through with Pound >>and verisign Certificates (attached
below). I am
>>>>sort of having the >>same problem. I am interested in how
you
>>>>installed the intermediate >>certificate, certificate
chain and the
>>>>steps that you took inorder >>to get pound to work for
IE. Please
>>>>forward the above info to >>ngethe(at)hotmail.com.
Thanks. >> >>My
>>>>regards, >> >>Kenneth Wainaina
>>-------------------- >>Attachment:-
>>>>
>>>>
>>>>>>>>Re: Certificate Purchase and Pound Jonathan Cyr
>>>>>>>>
>>>>>>>>
>>>><cyrj(at)cyr.info> >>Hello, >> >>I just
went round and round with
>>>>Verisign for about 5 months and >>never got it
working.... >> >>Here's
>>>>the story. >> >>I had a Verisign 128bit certificate
working with Pound
>>>>problem-free >>for 7-8 months... then Verisign introduced
an
>>>>intermediate >>certificate to the process... in other
words... they
>>>>moved their >>certificate serving mechanism and required
all of their
>>>>users to >>"patch" their SSL with an intermediate
>>>>certificate. Verisign had >>no idea what Pound is, and
on their
>>>>telephone support, they will >>try to treat you like an
Apache user,
>>>>since OpenSSL means Apache in >>their telephone support
>>>>handbook. Anyway, After 5 months of asking >>questions,
trying new
>>>>things, bugging folks here and on the OpenSSL >>mailing
list, I did
>>>>finally install their intermediate certificate >>and
certificate
>>>>chain, it worked with IE, not with Mozilla... >>puzzling
me, and my
>>>>generous benefactors on the OpenSSL list. I >>concluded
Verisign was
>>>>at fault, (after 5 mos), and got a new SSL >>provider.
>> >>Solution:
>>>>
>>>>
>>>>>>>>I got a new SSL 128bit certificate with a
direct chain, no
>>>>>>>>
>>>>>>>>
>>>>>>intermediate certs. We are no longer Versign
customers... I should
>>>>>>have known better, Verisign cant seem to get any aspect
of their
>>>>>>business working correctly... try changing company name
on a
>>>>>>Verisign registered domain after a merger... but I
digress. >> >>We
>>>>>>
>>>>>>
>>>>run a Red Hat AS 2.1 Server on a commodity box, and Load
>>Balance/Rev
>>>>Proxy a rather large WebSphere 5.1 based Web App on
>>ports 80 & 443.
>>>>
>>>>
>>>>>>>>My new certificate is from FreeSSL.com, it was
a ~$40 128bit
>>>>>>>>
>>>>>>>>
>>>>>>certificate, automated CSR process... and works better
than the
>>>>>>Verisign $800/yr variety... none of my customers are
the wiser...
>>>>>>128bit is 128bit, the only difference was 3rd party
verification
>>>>>>with Dun&Brad, a pain anyways. >> >>On
Linux, I highly recommend the
>>>>>>
>>>>>>
>>>>OpenSSL chapter of O'Reilly's >>Linux Security Cookbook,
on
>>>>http://safari.oreilly.com./ It has all
>>of >>the commands needed to
>>>>carry out your plan. >> >>If you decide to go
forward, write me, I'll
>>>>help you... I'd like to >>pay-it-forward for the folks
who helped me
>>>>through. >> >>Pound is well worth the effort... the
proprietary
>>>>alternatives are >>costly and inflexible. >>
>>Good Luck, >> >>-Jon
>>>>
>>>>
>>>>>>cyrj(at)cyr.info >> >>Ron Turner wrote:
>>[...] >> >>
>>>>>>__________________________________________________________________
>>>>>>Introducing the New Netscape Internet Service. Only
$9.95 a month
>>>>>>-- Sign up today at http://isp.netscape.com/register
>> >>Netscape.
>>>>>>
>>>>>>
>>>>Just the Net You Need. >> >>New! Netscape Toolbar
for Internet
>>>>Explorer >>Search from anywhere on the Web and block
those annoying
>>>>pop-ups. >>Download now at
>>>>http://channels.netscape.com/ns/search/install.jsp
>>
>>>>
>>>>------------------------------------------------------------------------
>>>>Overwhelmed by debt? Find out how to 'Dig Yourself Out of Debt'
from
>>>>MSN Money. <http://g.msn.com/8HMBENUS/2743??PS=47575>
>>>>
>>>>
>>>
>>>[...]
[...]
|
