Hi,

I can config Pound with ListenHTTPS to use different certificates on 
different ip addresses.

ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem

The backend servers resolve the different Host values for this without a 
problem.
Only there is a global directive HTTPSHeaders whee I would like to have 
a client cert for one of the SSL hosts but not all of them.

This is mainly because of an issue (again) with IE that presents you an 
empty box to choose from even if you don't have a certificate.

The CAList directive offers no solution too, IE just nags everybody :(

Could HTTPSHeaders  be made into a group directive or do you guys see 
another solution to this?

My plan to solve this quick and dirty is to have 2 pound instances on 
the machine with different config files.[...]

On Wednesday 06 October 2004 11.19, Thierry Coopman wrote:[...]

Have you tried "HTTPSHeaders 1 ..."? '1' means 'ask for certificate but allow 
for none', as opposed to '2' - 'ask for certificate and disallow if none 
present'. BTW - to make life interesting various IE versions react 
differently to these directives...
[...]

CAList is different - it just tells the client which of its certificates to 
send if it has more than one (by declaring which CA's we are interested in).
[...]

It's planned for 2.0 - but that may take a while.
[...]

That would certainly work.[...]

Robert Segall wrote:
[...][...][...]
certificate to avoid having a pop up in everyones face
[...][...]
send to the server if it doesn't have a certificate that matches the CA 
list, but it stills throws up an empty dialog :(
[...][...][...][...]
[...]

ok,
an update on this.
on pound-current dated august 23
I am unable to use client certificates, Firefox, Mozilla or IE or either 
unable to connect or refuse to send the client certificate.

I tested this feature back when pound was at version 1.4 and it worked 
back then. I know the SSL calls have had a major overhaul in the recent 
versions, could it be that some changes prevent building up an SSL 
tunnel using client certs?

Mozilla returns error code -12195, but I could find more info on that
IE just times out (and states the wrong DNS problem again)
FireFox continues, but the I have no info in the HTTP headers from the 
pound request, only an X-SSL-CIPHER header.

I'm not defining a CAList, just

HTTPSHeaders 1 "proxy: on"

Would you suggest using the most recent -current? I was avoiding that 
one a bit since I don't have the e500/garbeled content problem, and 
wanted to wait untill confirmations came in that it's solved :)

Thanks

Thierry Coopman wrote:
[...][...]
>>>
>>> I can config Pound with ListenHTTPS to use different certificates
on
>>> different ip addresses.
>>>
>>> ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
>>> ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
>>> ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem
>>>
>>> The backend servers resolve the different Host values for this 
>>> without a
>>> problem.
>>> Only there is a global directive HTTPSHeaders whee I would like to
have
>>> a client cert for one of the SSL hosts but not all of them.
>>>
>>> This is mainly because of an issue (again) with IE that presents
you an
>>> empty box to choose from even if you don't have a certificate.
>>>   [...][...]
>>>   [...][...]
>>> another solution to this?
>>>   [...]
>>> the machine with different config files.
>>>   [...][...][...]

On Wednesday 06 October 2004 17.57, Thierry Coopman wrote:[...]

There was one version which had problems - seems to be the one you tried. 
Please have another go at it with the latest -current.

BTW - all the details about the client certificate are available in the 
headers, including the certificate itself.[...]

Hi,

I finally got around at testing the latest -current (the one dated Oct 4).
It didn't solve the issue of the client side certificates. The browser 
seems to connect ok, asks for the certificate, but then is unable to 
continue. IE has the usual non-helpfull 'cannot connect to site' and 
Mozilla has an error establisching an encrypted connection, error code 
-12195.

It does seem as though this functionally is broken on Pound. When I set 
up the Apache server directly to work with client certs it worked fine 
(latest apache+modssl).

What can I do to provide you with more info on this issue? I have 
nothing in the error log. Maybe I need to activate some debugging option?

Thanks

Robert Segall wrote:
[...][...][...]
[...]

On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:[...]

Just to test - could you please try it with HTTPSHeaders 0? That would tell us 
if there is a problem with SSL itself.

Additional things to test: if you run in a root jail make sure you have the 
random devices required by OpenSSL. On failure you should see some message in 
the logs saying that the RSA keys could not be generated.[...]

Hi,

on the same machine I have a Pound running with

HTTPSHeaders 0 "proxy: on"

The only difference in the config is

HTTPSHeaders 1 "proxy: on"

and the binding to another IP address on the machine. I tried with and 
without root jail.




Robert Segall wrote:
[...][...][...][...]

On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:[...]

One more thing: please make sure you have no duplicate HTTPSHeaders directive 
in the config! At least in our tests HTTPSHeaders 1 works fine without a 
client certificate with IE, Konqueror and Firefox. The symptoms you describe 
would fit HTTPSHeaders 2 when the client has no certificate.[...]

Hi,

I checked I have only one HTTPSHeaders directive, it's a seperate config 
file for this specific host, since IE just always asks a user to pick a 
client cert, even if the client cert list is empty :(

Indeed, if I choose not to send a client certificate, everything goes 
fine. If I do send a certificate, the the connection cannot be further 
established, as if some check would fail or so, but didn't find anything 
in the error logs.

Also, it would be great if we could send a page off to the customer if 
there is a problem with the cert presented like the e500 directives.


Robert Segall wrote:
[...][...][...]
[...]

Try httpsheaders 0 
[...]