Hi!

I have compiled pound 1.8 in a Red Hat Enterprise
Linux AS release 3 (Taroon Update 1).

The command to configure it:
CPPFLAGS="-DOPENSSL_NO_KRB5" ./configure --without-log
--disable-daemon

make
make install

This procedure runs.

I have done a CA selfsigned with openssl and a user
certificate signed with this CA. I loaded this user
certificate into firefox 1.0.

When I try to connect to server, I get an error
message: "Could not establish an encrypted connection
because your certificate was rejected by 192.168.1.2.
Error Code: -12271"

I think that if my user certificate was signed with
the CA that pound uses... Pound must not reject it.

The web server that I am currently using is Zope with
HTTPS ON in zope.conf.

My pound.cfg is:

ListenHTTPS 192.168.1.2,443
/opt/zope/pound/nuevo/certificado.pem

User zope
Group zope
RootJail /opt/zope/pound/nuevo/jail
LogLevel 4

CAlist /opt/zope/pound/nuevo/admitidos.pem 1

HTTPSHeaders 2 ""

UrlGroup ".*"
   HeadDeny X-SSL-Subject ".*"
   HeadDeny X-SSL-Issuer ".*"
   HeadDeny X-SSL-Serial ".*"
   HeadDeny X-SSL-Cipher ".*"
   HeadDeny X-SSL-notBefore ".*"
   HeadDeny X-SSL-notAfter ".*"
   HeadDeny X-SSL-certificate ".*"
   BackEnd 192.168.1.2,8043,1
EndGroup

Thanks


	
	
		
______________________________________________ 
Renovamos el Correo Yahoo!: ˇ250 MB GRATIS! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

On Wednesday 30 March 2005 12:52, Egon wrote:[...]

HTTPSHeaders 2 means Pound asks for a client certificate and refuses the 
connection if no certificate is presented!

I suggest you check your browser to make sure it does send a certificate. As a 
second step try removing the CAlist directive to make sure you did not send 
the wrong CA certificate to the browser, which would prevent it from replying 
with a certificate. Thirdly, try running with HTTPSHeaders 3 and look at the 
client certificate headers as seen by Zope - this should give you a good idea 
about what is going wrong.

Don't put too much trust in the browser error messages - quite often they are 
misleading...[...]

--- Robert Segall <roseg(at)apsis.ch> wrote:[...]

I used HTTPSHeaders 3 and Zope can see the certificate
that I signed with the CA selfsigned that uses Pound.

I use HTTPSHeaders 2 in order to accept the
certificates that I want to permit by CAlist.

I think that this problem can be a certificate
problem.

I have this configuration to certificates, please tell
me what can be wrong:

In ListenHTTPS, the pem certificate is a concatenation
of PRIVATE_KEY+CERTIFICATE.
This certificate was created with the command
especified in Pound's web. ( -nodes and no password ).
This file was built with the next commands:
cat privateKey.pem > certificatePound.pem
cat cert.pem >> certificatePound.pem

In CAlist, the file is a concatenation of CERTIFICATES
in pem format that I want to allow.
This file was built with the next commands:
cat cert.pem > cas.pem
cat cert1.pem >> cas.pem
[...]

When I change HTTPSHeader 3 to 2, the connection is
rejected. 

What is the lenght of user private key ?

The lenght of the user private key that I use is 1024,
the same length that the pound private key.

Must it be the same lenght ?

Thanks.


		
______________________________________________ 
Renovamos el Correo Yahoo!: ˇ250 MB GRATIS! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es

On Thursday 31 March 2005 13:03, Egon wrote:[...]

Good - that means the basic mechanism works.
[...]

So far so good.
[...]

That's the problem: you need to put in CAlist the certificate(s) used to SIGN 
the client certificates - a.k.a. the CA certificate!
[...]

Of course. By defining a CAlist you are effectively telling your client 
"identify yourself with a certificate signed by one of these authorities, as 
this -and only this - is what I'll be checking against".
[...]

That has nothing to do with all of the above - just about any length you use 
would be OK.[...]