I am upgrading from a pound-current circa April-ish, I had it working with
ssl, but now on startup I get the following error:

Oct  7 21:41:02 mouse pound: [ID 702911 daemon.notice] starting...
Oct  7 21:41:02 mouse pound: [ID 702911 daemon.error] RSA_generate(0, 512)
failed
Oct  7 21:41:02 mouse pound: [ID 702911 daemon.error]
SSL_CTX_use_certificate_chain_file failed - aborted

This only reference in the archives I see says my pem file is formatted
incorrectly, but the only thing that has changed is the new pound...what am
I missing?

On Friday 08 October 2004 03.21, Brook Stevens wrote:[...]

The failure of RSA_generate is bad news. Most likely you run (link) with a 
bad/wrong OpenSSL or you use a root jail and have not created the necessary 
devices.

I am not aware of any other changes in this area over the last few months, so 
I am inclined to suspect that your setup is not an exact copy of the old
one.[...]

Something certainly could have changed in the openSSL since I compiled the
first time, but not since it was working (if that makes sense).  We had been
running pound since April without ssl, then we decided to setup ssl and so I
generated the certificate, got it all setup and ran into the
http://ourdomain:443/ redirect problem. 
scanning the mail list this
appeared to be fixed in later version, so I upgraded, and upon installing on
the same machine I used to generate the certificate and I had running before
on the older version this error appeared in the logs.  So I am pretty sure
nothing has changed, certainly nothing in the config file or certificate.
Should I be looking at config problems, or compile problems?  I get lots of
"warning: function declaration isn't a prototype" during make, but
everything seems okay, and it is running fine for non-ssl connections, I
just can't get it to start up with the listenHTTPS directive.

-Brook
[...]

Ok, problem turned out to be the /dev/urandom was not installed...don't know
why it worked the first time but all is well, but thanks for the help.  Now
however even after upgrading I still am getting redirect of
http://ourdomain:443/  I thought that pound
took care of this and would
rewrite that as https://ourdomain/  ... is
there something else I have to
configure, or is this simply outside the purview of pound?

-Brook
[...]

On Friday 08 October 2004 17.05, Brook Stevens wrote:[...]

The compilation warnings are very often an indication that some header files 
and/or libraries are missing - the usual suspects are kerberos and similar 
dependencies. Please check this carefully.

As to the redirect problems (also on WebDAV in your other post): your web 
server clearly replies with a redirect (301 in your example) which for some 
reason is no caught by Pound. A good trace of the request/reply would be 
useful - something like tcpwatch between Pound and the back-end would come in 
handy. The redirect rewriting code has been slightly modified in the latest 
versions.[...]

Here is the output from snoop (this is Solaris if that helps).  I think
there is some junk in there.  But the redirect is being sent as a 302 I
think.

remote_addr -> neo.cleanwise.com HTTPS C port=1634
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.165 -> neo.cleanwise.com HTTP (proxy) R port=52679
192.168.2.165 -> neo.cleanwise.com HTTP (proxy) R port=52679
192.168.2.165 -> neo.cleanwise.com HTTP HTTP/1.1 302 Moved Temporarily
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.173 -> neo.cleanwise.com DNS R  Error: 3(Name Error)
192.168.2.173 -> neo.cleanwise.com DNS R  Error: 3(Name Error)
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.173 -> neo.cleanwise.com DNS R  Error: 3(Name Error)
192.168.2.165 -> neo.cleanwise.com HTTP HTTP/1.1 200 OK
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.165 -> neo.cleanwise.com HTTP
src="../en/images/cw_logintopright.gif" WIDTH="7" HEIGHT="1"></td>
192.168.2.165 -> neo.cleanwise.com HTTP
<tr>
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.173 -> neo.cleanwise.com DNS R 169.206.61.24.in-addr.arpa.
Internet PTR remote_addr.
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.165 -> neo.cleanwise.com HTTP (body)
192.168.2.173 -> neo.cleanwise.com DNS R remote_addr. Internet Addr
24.61.206.169
192.168.2.173 -> neo.cleanwise.com DNS R  Error: 3(Name Error)
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.165 -> neo.cleanwise.com HTTP HTTP/1.1 304 Not Modified
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.165 -> neo.cleanwise.com HTTP HTTP/1.1 304 Not Modified
remote_addr -> neo.cleanwise.com HTTPS C port=1644
192.168.2.165 -> neo.cleanwise.com HTTP HTTP/1.1 304 Not Modified
remote_addr -> neo.cleanwise.com HTTPS C port=1645
remote_addr -> neo.cleanwise.com HTTPS C port=1646
remote_addr -> neo.cleanwise.com HTTPS C port=1647
remote_addr -> neo.cleanwise.com HTTPS C port=1645
[...]

On Thursday 14 October 2004 01.43, Brook Stevens wrote:[...]

It doesn't. Unless we can see the (detailed) headers at least we can't really 
say much. Your list also seems to have no relation to the original post - 
which showed 301 rather than 302. You also give us no idea what (if anything) 
went wrong, and where in the log.[...]

Sorry I read tcpdump, not tcpwatch.  I am not sure when I refered to a 301,
but I may have mislead you.  Also I am not doing anything with WebDAV, just
http.  Here is the output from TCPWatch.

[00:00.000 - client 192.168.1.55:42687 forwarded to bstevens:8080]
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword,
application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461; .NET
CLR 1.1.4322)
Host: store.cleanwise.com:443
Connection: Keep-Alive
X-SSL-cipher: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)
Mac=MD5 
X-Forwarded-For: 192.168.1.137

[00:00.010 - server connected]
HTTP/1.1 302 Moved Temporarily
Date: Thu, 14 Oct 2004 14:15:58 GMT
Server: Jetty/3.1.5 (Windows 2000 5.0 x86)
Servlet-Engine: Jetty/3.1 (JSP 1.1; Servlet 2.2; java 1.4.0_02)
Content-Type: text/html;charset=8859_1
Set-Cookie: jsessionid=18rt276mm;Path=/cleanwise
Set-Cookie2: jsessionid=18rt276mm;Version=1;Path=/cleanwise;Discard
Location: http://store.cleanwise.com:443/cleanwise/userportal/logon.do
Transfer-Encoding: chunked
[...]

On Thursday 14 October 2004 16.22, Brook Stevens wrote:[...]

I'm a bit confused: what exactly do you expect Pound to do about it? Your 
back-end replies with a redirect to http://store.cleanwise.com:443,
which is 
probably not something Pound knows about, so the Location header is not 
modified.

It would be modified if either the back-end would redirect to 
http://bstevens:8080 (which I assume is your
back-end) or if 
http://store.cleanwise.com would
resolve to the address Pound is listening on 
(which, based on your previous post, it probably doesn't - see the DNS 
failures).

I suggest you look at your name resolution setup - fix that and you should be 
OK.[...]

Ahhh, okay I got it.  Interestingly enough that after having this setup
correctly the issue didn't go away, however changing:
ListenHTTPS 0.0.0.0,443 <path to pem>
to
ListenHTTPS <actual machine ip>,443 <path to pem>
solved my problem.  Thanks for the help.

[...]

On Friday 15 October 2004 02.02, Brook Stevens wrote:[...]

Glad to hear it works now.

Listening on 0.0.0.0 is a problem: I just don't know a portable way to find 
out what the real addresses are, thus the comparison fails. Maybe someone 
could contribute a code snippet here (wink, wink, nudge, nudge). Until that 
happens please use explicit addresses if you need the redirection code.[...]