Hi,

I can config Pound with ListenHTTPS to use different certificates on 
different ip addresses.

ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem

The backend servers resolve the different Host values for this without a 
problem.
Only there is a global directive HTTPSHeaders whee I would like to have 
a client cert for one of the SSL hosts but not all of them.

This is mainly because of an issue (again) with IE that presents you an 
empty box to choose from even if you don't have a certificate.

The CAList directive offers no solution too, IE just nags everybody :(

Could HTTPSHeaders  be made into a group directive or do you guys see 
another solution to this?

My plan to solve this quick and dirty is to have 2 pound instances on 
the machine with different config files.
-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

On Wednesday 06 October 2004 11.19, Thierry Coopman wrote:
> Hi,
>
> I can config Pound with ListenHTTPS to use different certificates on
> different ip addresses.
>
> ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
> ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
> ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem
>
> The backend servers resolve the different Host values for this without a
> problem.
> Only there is a global directive HTTPSHeaders whee I would like to have
> a client cert for one of the SSL hosts but not all of them.
>
> This is mainly because of an issue (again) with IE that presents you an
> empty box to choose from even if you don't have a certificate.

Have you tried "HTTPSHeaders 1 ..."? '1' means 'ask for certificate but allow 
for none', as opposed to '2' - 'ask for certificate and disallow if none 
present'. BTW - to make life interesting various IE versions react 
differently to these directives...

> The CAList directive offers no solution too, IE just nags everybody :(

CAList is different - it just tells the client which of its certificates to 
send if it has more than one (by declaring which CA's we are interested in).

> Could HTTPSHeaders  be made into a group directive or do you guys see
> another solution to this?

It's planned for 2.0 - but that may take a while.

> My plan to solve this quick and dirty is to have 2 pound instances on
> the machine with different config files.

That would certainly work.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Robert Segall wrote:

>On Wednesday 06 October 2004 11.19, Thierry Coopman wrote:
>  
>
>>Hi,
>>
>>I can config Pound with ListenHTTPS to use different certificates on
>>different ip addresses.
>>
>>ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
>>ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
>>ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem
>>
>>The backend servers resolve the different Host values for this without a
>>problem.
>>Only there is a global directive HTTPSHeaders whee I would like to have
>>a client cert for one of the SSL hosts but not all of them.
>>
>>This is mainly because of an issue (again) with IE that presents you an
>>empty box to choose from even if you don't have a certificate.
>>    
>>
>
>Have you tried "HTTPSHeaders 1 ..."? '1' means 'ask for certificate but allow 
>for none', as opposed to '2' - 'ask for certificate and disallow if none 
>present'. BTW - to make life interesting various IE versions react 
>differently to these directives...
>
>  
>
yes, it's just plain anoying. So we created a second name with another 
certificate to avoid having a pop up in everyones face

>>The CAList directive offers no solution too, IE just nags everybody :(
>>    
>>
>
>CAList is different - it just tells the client which of its certificates to 
>send if it has more than one (by declaring which CA's we are interested in).
>
>  
>
yes, I just 'hoped' that IE wouldn't bother to ask what certificate to 
send to the server if it doesn't have a certificate that matches the CA 
list, but it stills throws up an empty dialog :(

>>Could HTTPSHeaders  be made into a group directive or do you guys see
>>another solution to this?
>>    
>>
>
>It's planned for 2.0 - but that may take a while.
>
>  
>
>>My plan to solve this quick and dirty is to have 2 pound instances on
>>the machine with different config files.
>>    
>>
>
>That would certainly work.
>  
>
indeed :)

-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

ok,
an update on this.
on pound-current dated august 23
I am unable to use client certificates, Firefox, Mozilla or IE or either 
unable to connect or refuse to send the client certificate.

I tested this feature back when pound was at version 1.4 and it worked 
back then. I know the SSL calls have had a major overhaul in the recent 
versions, could it be that some changes prevent building up an SSL 
tunnel using client certs?

Mozilla returns error code -12195, but I could find more info on that
IE just times out (and states the wrong DNS problem again)
FireFox continues, but the I have no info in the HTTP headers from the 
pound request, only an X-SSL-CIPHER header.

I'm not defining a CAList, just

HTTPSHeaders 1 "proxy: on"

Would you suggest using the most recent -current? I was avoiding that 
one a bit since I don't have the e500/garbeled content problem, and 
wanted to wait untill confirmations came in that it's solved :)

Thanks

Thierry Coopman wrote:

> Robert Segall wrote:
>
>> On Wednesday 06 October 2004 11.19, Thierry Coopman wrote:
>>  
>>
>>> Hi,
>>>
>>> I can config Pound with ListenHTTPS to use different certificates on
>>> different ip addresses.
>>>
>>> ListenHTTPS 123.123.123.100,443 /etc/cert/cert1.pem
>>> ListenHTTPS 123.123.123.101,443 /etc/cert/cert2.pem
>>> ListenHTTPS 123.123.123.102,443 /etc/cert/cert3.pem
>>>
>>> The backend servers resolve the different Host values for this 
>>> without a
>>> problem.
>>> Only there is a global directive HTTPSHeaders whee I would like to have
>>> a client cert for one of the SSL hosts but not all of them.
>>>
>>> This is mainly because of an issue (again) with IE that presents you an
>>> empty box to choose from even if you don't have a certificate.
>>>   
>>
>>
>> Have you tried "HTTPSHeaders 1 ..."? '1' means 'ask for certificate 
>> but allow for none', as opposed to '2' - 'ask for certificate and 
>> disallow if none present'. BTW - to make life interesting various IE 
>> versions react differently to these directives...
>>
>>  
>>
> yes, it's just plain anoying. So we created a second name with another 
> certificate to avoid having a pop up in everyones face
>
>>> The CAList directive offers no solution too, IE just nags everybody :(
>>>   
>>
>>
>> CAList is different - it just tells the client which of its 
>> certificates to send if it has more than one (by declaring which CA's 
>> we are interested in).
>>
>>  
>>
> yes, I just 'hoped' that IE wouldn't bother to ask what certificate to 
> send to the server if it doesn't have a certificate that matches the 
> CA list, but it stills throws up an empty dialog :(
>
>>> Could HTTPSHeaders  be made into a group directive or do you guys see
>>> another solution to this?
>>>   
>>
>>
>> It's planned for 2.0 - but that may take a while.
>>
>>  
>>
>>> My plan to solve this quick and dirty is to have 2 pound instances on
>>> the machine with different config files.
>>>   
>>
>>
>> That would certainly work.
>>  
>>
> indeed :)
>

-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

On Wednesday 06 October 2004 17.57, Thierry Coopman wrote:
> ok,
> an update on this.
> on pound-current dated august 23
> I am unable to use client certificates, Firefox, Mozilla or IE or either
> unable to connect or refuse to send the client certificate.

There was one version which had problems - seems to be the one you tried. 
Please have another go at it with the latest -current.

BTW - all the details about the client certificate are available in the 
headers, including the certificate itself.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Hi,

I finally got around at testing the latest -current (the one dated Oct 4).
It didn't solve the issue of the client side certificates. The browser 
seems to connect ok, asks for the certificate, but then is unable to 
continue. IE has the usual non-helpfull 'cannot connect to site' and 
Mozilla has an error establisching an encrypted connection, error code 
-12195.

It does seem as though this functionally is broken on Pound. When I set 
up the Apache server directly to work with client certs it worked fine 
(latest apache+modssl).

What can I do to provide you with more info on this issue? I have 
nothing in the error log. Maybe I need to activate some debugging option?

Thanks

Robert Segall wrote:

>On Wednesday 06 October 2004 17.57, Thierry Coopman wrote:
>  
>
>>ok,
>>an update on this.
>>on pound-current dated august 23
>>I am unable to use client certificates, Firefox, Mozilla or IE or either
>>unable to connect or refuse to send the client certificate.
>>    
>>
>
>There was one version which had problems - seems to be the one you tried. 
>Please have another go at it with the latest -current.
>
>BTW - all the details about the client certificate are available in the 
>headers, including the certificate itself.
>  
>


-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:
> Hi,
>
> I finally got around at testing the latest -current (the one dated Oct 4).
> It didn't solve the issue of the client side certificates. The browser
> seems to connect ok, asks for the certificate, but then is unable to
> continue. IE has the usual non-helpfull 'cannot connect to site' and
> Mozilla has an error establisching an encrypted connection, error code
> -12195.
>
> It does seem as though this functionally is broken on Pound. When I set
> up the Apache server directly to work with client certs it worked fine
> (latest apache+modssl).
>
> What can I do to provide you with more info on this issue? I have
> nothing in the error log. Maybe I need to activate some debugging option?

Just to test - could you please try it with HTTPSHeaders 0? That would tell us 
if there is a problem with SSL itself.

Additional things to test: if you run in a root jail make sure you have the 
random devices required by OpenSSL. On failure you should see some message in 
the logs saying that the RSA keys could not be generated.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Hi,

on the same machine I have a Pound running with

HTTPSHeaders 0 "proxy: on"

The only difference in the config is

HTTPSHeaders 1 "proxy: on"

and the binding to another IP address on the machine. I tried with and 
without root jail.




Robert Segall wrote:

>On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:
>  
>
>>Hi,
>>
>>I finally got around at testing the latest -current (the one dated Oct 4).
>>It didn't solve the issue of the client side certificates. The browser
>>seems to connect ok, asks for the certificate, but then is unable to
>>continue. IE has the usual non-helpfull 'cannot connect to site' and
>>Mozilla has an error establisching an encrypted connection, error code
>>-12195.
>>
>>It does seem as though this functionally is broken on Pound. When I set
>>up the Apache server directly to work with client certs it worked fine
>>(latest apache+modssl).
>>
>>What can I do to provide you with more info on this issue? I have
>>nothing in the error log. Maybe I need to activate some debugging option?
>>    
>>
>
>Just to test - could you please try it with HTTPSHeaders 0? That would tell us

>if there is a problem with SSL itself.
>
>Additional things to test: if you run in a root jail make sure you have the 
>random devices required by OpenSSL. On failure you should see some message in 
>the logs saying that the RSA keys could not be generated.
>  
>

-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:
> What can I do to provide you with more info on this issue? I have
> nothing in the error log. Maybe I need to activate some debugging option?

One more thing: please make sure you have no duplicate HTTPSHeaders directive 
in the config! At least in our tests HTTPSHeaders 1 works fine without a 
client certificate with IE, Konqueror and Firefox. The symptoms you describe 
would fit HTTPSHeaders 2 when the client has no certificate.
-- 
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-1-920 4904

Hi,

I checked I have only one HTTPSHeaders directive, it's a seperate config 
file for this specific host, since IE just always asks a user to pick a 
client cert, even if the client cert list is empty :(

Indeed, if I choose not to send a client certificate, everything goes 
fine. If I do send a certificate, the the connection cannot be further 
established, as if some check would fail or so, but didn't find anything 
in the error logs.

Also, it would be great if we could send a page off to the customer if 
there is a problem with the cert presented like the e500 directives.


Robert Segall wrote:

>On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:
>  
>
>>What can I do to provide you with more info on this issue? I have
>>nothing in the error log. Maybe I need to activate some debugging option?
>>    
>>
>
>One more thing: please make sure you have no duplicate HTTPSHeaders directive 
>in the config! At least in our tests HTTPSHeaders 1 works fine without a 
>client certificate with IE, Konqueror and Firefox. The symptoms you describe 
>would fit HTTPSHeaders 2 when the client has no certificate.
>  
>


-- 
Keytrade Bank accepts no liability for the content of this email. For 
more info please visit http://www.keytradebank.com/maildisclaimer.html

Try httpsheaders 0 

> -----Original Message-----
> From: Thierry Coopman [mailto:thierry(at)keytradebank.com] 
> Sent: Thursday, October 21, 2004 2:39 AM
> To: pound(at)apsis.ch
> Subject: Re: Config question HTTPSHeaders
> 
> Hi,
> 
> I checked I have only one HTTPSHeaders directive, it's a 
> seperate config file for this specific host, since IE just 
> always asks a user to pick a client cert, even if the client 
> cert list is empty :(
> 
> Indeed, if I choose not to send a client certificate, 
> everything goes fine. If I do send a certificate, the the 
> connection cannot be further established, as if some check 
> would fail or so, but didn't find anything in the error logs.
> 
> Also, it would be great if we could send a page off to the 
> customer if there is a problem with the cert presented like 
> the e500 directives.
> 
> 
> Robert Segall wrote:
> 
> >On Wednesday 20 October 2004 18.08, Thierry Coopman wrote:
> >  
> >
> >>What can I do to provide you with more info on this issue? I have
> >>nothing in the error log. Maybe I need to activate some 
> debugging option?
> >>    
> >>
> >
> >One more thing: please make sure you have no duplicate 
> HTTPSHeaders directive 
> >in the config! At least in our tests HTTPSHeaders 1 works 
> fine without a 
> >client certificate with IE, Konqueror and Firefox. The 
> symptoms you describe 
> >would fit HTTPSHeaders 2 when the client has no certificate.
> >  
> >
> 
> 
> -- 
> Keytrade Bank accepts no liability for the content of this email. For 
> more info please visit http://www.keytradebank.com/maildisclaimer.html
> 
>