|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-03
/
Error Code: -12271
[
Pound - WebDAV enabled in compilation risks? / ... ]
[
Re: Error Code: -12271 / Egon ... ]
Error Code: -12271
Egon <listaseu(at)yahoo.es> |
2005-03-30 12:52:44 |
[ SNIP ]
|
Hi!
I have compiled pound 1.8 in a Red Hat Enterprise
Linux AS release 3 (Taroon Update 1).
The command to configure it:
CPPFLAGS="-DOPENSSL_NO_KRB5" ./configure --without-log
--disable-daemon
make
make install
This procedure runs.
I have done a CA selfsigned with openssl and a user
certificate signed with this CA. I loaded this user
certificate into firefox 1.0.
When I try to connect to server, I get an error
message: "Could not establish an encrypted connection
because your certificate was rejected by 192.168.1.2.
Error Code: -12271"
I think that if my user certificate was signed with
the CA that pound uses... Pound must not reject it.
The web server that I am currently using is Zope with
HTTPS ON in zope.conf.
My pound.cfg is:
ListenHTTPS 192.168.1.2,443
/opt/zope/pound/nuevo/certificado.pem
User zope
Group zope
RootJail /opt/zope/pound/nuevo/jail
LogLevel 4
CAlist /opt/zope/pound/nuevo/admitidos.pem 1
HTTPSHeaders 2 ""
UrlGroup ".*"
HeadDeny X-SSL-Subject ".*"
HeadDeny X-SSL-Issuer ".*"
HeadDeny X-SSL-Serial ".*"
HeadDeny X-SSL-Cipher ".*"
HeadDeny X-SSL-notBefore ".*"
HeadDeny X-SSL-notAfter ".*"
HeadDeny X-SSL-certificate ".*"
BackEnd 192.168.1.2,8043,1
EndGroup
Thanks
______________________________________________
Renovamos el Correo Yahoo!: ˇ250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
|
|
|
Re: Error Code: -12271
Robert Segall <roseg(at)apsis.ch> |
2005-03-30 19:16:32 |
[ SNIP ]
|
On Wednesday 30 March 2005 12:52, Egon wrote:
> Hi!
>
> I have compiled pound 1.8 in a Red Hat Enterprise
> Linux AS release 3 (Taroon Update 1).
>
> The command to configure it:
> CPPFLAGS="-DOPENSSL_NO_KRB5" ./configure --without-log
> --disable-daemon
>
> make
> make install
>
> This procedure runs.
>
> I have done a CA selfsigned with openssl and a user
> certificate signed with this CA. I loaded this user
> certificate into firefox 1.0.
>
> When I try to connect to server, I get an error
> message: "Could not establish an encrypted connection
> because your certificate was rejected by 192.168.1.2.
> Error Code: -12271"
>
> I think that if my user certificate was signed with
> the CA that pound uses... Pound must not reject it.
>
> The web server that I am currently using is Zope with
> HTTPS ON in zope.conf.
>
> My pound.cfg is:
>
> ListenHTTPS 192.168.1.2,443
> /opt/zope/pound/nuevo/certificado.pem
>
> User zope
> Group zope
> RootJail /opt/zope/pound/nuevo/jail
> LogLevel 4
>
> CAlist /opt/zope/pound/nuevo/admitidos.pem 1
>
> HTTPSHeaders 2 ""
>
> UrlGroup ".*"
> HeadDeny X-SSL-Subject ".*"
> HeadDeny X-SSL-Issuer ".*"
> HeadDeny X-SSL-Serial ".*"
> HeadDeny X-SSL-Cipher ".*"
> HeadDeny X-SSL-notBefore ".*"
> HeadDeny X-SSL-notAfter ".*"
> HeadDeny X-SSL-certificate ".*"
> BackEnd 192.168.1.2,8043,1
> EndGroup
>
> Thanks
HTTPSHeaders 2 means Pound asks for a client certificate and refuses the
connection if no certificate is presented!
I suggest you check your browser to make sure it does send a certificate. As a
second step try removing the CAlist directive to make sure you did not send
the wrong CA certificate to the browser, which would prevent it from replying
with a certificate. Thirdly, try running with HTTPSHeaders 3 and look at the
client certificate headers as seen by Zope - this should give you a good idea
about what is going wrong.
Don't put too much trust in the browser error messages - quite often they are
misleading...
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
Re: Error Code: -12271
Egon <listaseu(at)yahoo.es> |
2005-03-31 13:03:55 |
[ SNIP ]
|
--- Robert Segall <roseg(at)apsis.ch> wrote:
> On Wednesday 30 March 2005 12:52, Egon wrote:
> > [...]
> > I have done a CA selfsigned with openssl and a
> user
> > certificate signed with this CA. I loaded this
> user
> > certificate into firefox 1.0.
> >
> > When I try to connect to server, I get an error
> > message: "Could not establish an encrypted
> connection
> > because your certificate was rejected by
> 192.168.1.2.
> > Error Code: -12271"
> > [...]
> >
> > Thanks
>
> HTTPSHeaders 2 means Pound asks for a client
> certificate and refuses the
> connection if no certificate is presented!
>
> I suggest you check your browser to make sure it
> does send a certificate. As a
> second step try removing the CAlist directive to
> make sure you did not send
> the wrong CA certificate to the browser, which would
> prevent it from replying
> with a certificate. Thirdly, try running with
> HTTPSHeaders 3 and look at the
> client certificate headers as seen by Zope - this
> should give you a good idea
> about what is going wrong.
>
> Don't put too much trust in the browser error
> messages - quite often they are
> misleading...
> --
> Robert Segall
> Apsis GmbH
> Postfach, Uetikon am See, CH-8707
> Tel: +41-44-920 4904
>
I used HTTPSHeaders 3 and Zope can see the certificate
that I signed with the CA selfsigned that uses Pound.
I use HTTPSHeaders 2 in order to accept the
certificates that I want to permit by CAlist.
I think that this problem can be a certificate
problem.
I have this configuration to certificates, please tell
me what can be wrong:
In ListenHTTPS, the pem certificate is a concatenation
of PRIVATE_KEY+CERTIFICATE.
This certificate was created with the command
especified in Pound's web. ( -nodes and no password ).
This file was built with the next commands:
cat privateKey.pem > certificatePound.pem
cat cert.pem >> certificatePound.pem
In CAlist, the file is a concatenation of CERTIFICATES
in pem format that I want to allow.
This file was built with the next commands:
cat cert.pem > cas.pem
cat cert1.pem >> cas.pem
[...]
When I change HTTPSHeader 3 to 2, the connection is
rejected.
What is the lenght of user private key ?
The lenght of the user private key that I use is 1024,
the same length that the pound private key.
Must it be the same lenght ?
Thanks.
______________________________________________
Renovamos el Correo Yahoo!: ˇ250 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es
|
|
|
Re: Error Code: -12271
Robert Segall <roseg(at)apsis.ch> |
2005-03-31 19:34:04 |
[ SNIP ]
|
On Thursday 31 March 2005 13:03, Egon wrote:
> I used HTTPSHeaders 3 and Zope can see the certificate
> that I signed with the CA selfsigned that uses Pound.
Good - that means the basic mechanism works.
> I use HTTPSHeaders 2 in order to accept the
> certificates that I want to permit by CAlist.
>
> I think that this problem can be a certificate
> problem.
>
> I have this configuration to certificates, please tell
> me what can be wrong:
>
> In ListenHTTPS, the pem certificate is a concatenation
> of PRIVATE_KEY+CERTIFICATE.
> This certificate was created with the command
> especified in Pound's web. ( -nodes and no password ).
> This file was built with the next commands:
> cat privateKey.pem > certificatePound.pem
> cat cert.pem >> certificatePound.pem
So far so good.
> In CAlist, the file is a concatenation of CERTIFICATES
> in pem format that I want to allow.
> This file was built with the next commands:
> cat cert.pem > cas.pem
> cat cert1.pem >> cas.pem
> [...]
That's the problem: you need to put in CAlist the certificate(s) used to SIGN
the client certificates - a.k.a. the CA certificate!
> When I change HTTPSHeader 3 to 2, the connection is
> rejected.
Of course. By defining a CAlist you are effectively telling your client
"identify yourself with a certificate signed by one of these authorities, as
this -and only this - is what I'll be checking against".
> What is the lenght of user private key ?
>
> The lenght of the user private key that I use is 1024,
> the same length that the pound private key.
>
> Must it be the same lenght ?
That has nothing to do with all of the above - just about any length you use
would be OK.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-44-920 4904
|
|
|
|
