/ Zope / Apsis / Pound Mailing List / Archive / 2005 / 2005-04 / Re: Error Code: -12271

[ << ] [ >> ]

[ Error Code: -12271 / Egon <listaseu(at)yahoo.es... ] [ pound 1.8.2 and Internet Explorer using https / ... ]

Re: Error Code: -12271
Egon <listaseu(at)yahoo.es>		 2005-04-01 13:36:39 [ FULL ] 
--- Robert Segall <roseg(at)apsis.ch> wrote:[...]
In CAlist, I put the Pound certificate with:
cat certPound.pem > calist.pem

This certificate is the one that is contained into the
calist. And I was always including this certificate
into calist.

The error has changed to -12195 when HTTPSHeaders is
set to 2 , when it is set to 3 value pound works.

With HTTSHeaders set to 0, Pound works, but I want the
SSL support.

I dont know what to do, I have recreated the pound and
the user certificates several times, and pound does
not work :(.

I tried to remove the CAlist parameter from pound.cfg
leaving HTTPSHeaders set to 2. In this case, error
-12195 continues.

Thanks.




		
______________________________________________ 
Renovamos el Correo Yahoo!: ¡250 MB GRATIS! 
Nuevos servicios, más seguridad 
http://correo.yahoo.es
Re: Error Code: -12271 on Pound 1.8.3
Urien Ronan <ronan.urien(at)wanadoo.fr>		 2005-04-28 10:05:34 [ FULL ] 
Hello,

I have the same problem: error 12271

Did you find a solution?

I use : HTTPSHeaders 2 ''
pound 1.8.3
IE 5 & 6 & Firefox : it's the same

I make one selfsigned certificat with command:
openssl req -x509 -newkey rs:1024 -keyout test.pem -out test.pem -days 
365 -nodes

I use CAlist with a concatenation of certificats selfsigned in pem format

I see headers HTTP_X_SSL with HTTPSHeaders 3 ''

but with HTTPSHeaders 2 '' I have SSL error 12271

Thanks








Robert Segall a écrit :
[...][...][...][...][...][...][...][...][...][...][...]
Re: Error Code: -12271 on Pound 1.8.3
Urien Ronan <ronan.urien(at)wanadoo.fr>		 2005-04-28 11:32:42 [ FULL ] 
After fixing a log problem in pound we can now see this line when the 
client try to connect in SSL V3:
28/Apr/2005 12:03:27 +0200: BIO_do_handshake with 192.168.1.35 failed: 
error:140890B2:SSLroutines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned

SSL error which show that the client certificat is never received

Thanks a lot for helping us

Urien Ronan a écrit :
[...][...]
>>>that I signed with the CA selfsigned that uses Pound.
>>>    
>>>[...]
>>>certificates that I want to permit by CAlist.
>>>
>>>I think that this problem can be a certificate
>>>problem.
>>>
>>>I have this configuration to certificates, please tell
>>>me what can be wrong:
>>>
>>>In ListenHTTPS, the pem certificate is a concatenation
>>>of PRIVATE_KEY+CERTIFICATE.
>>>This certificate was created with the command
>>>especified in Pound's web. ( -nodes and no password ).
>>>This file was built with the next commands:
>>>cat privateKey.pem > certificatePound.pem
>>>cat cert.pem >> certificatePound.pem
>>>    
>>>[...]
>>>in pem format that I want to allow.
>>>This file was built with the next commands:
>>>cat cert.pem > cas.pem
>>>cat cert1.pem >> cas.pem
>>>[...]
>>>    
>>>[...]
>>>rejected.
>>>    
>>>[...]
>>>
>>>The lenght of the user private key that I use is 1024,
>>>the same length that the pound private key.
>>>
>>>Must it be the same lenght ?
>>>    
>>>[...]
Re: Error Code: -12271 on Pound 1.8.3
Robert Segall <roseg(at)apsis.ch>		 2005-04-28 13:08:21 [ FULL ] 
On Thu, 28 Apr 2005 11:32:42 +0200 Urien Ronan
<ronan.urien(at)wanadoo.fr>
wrote:[...]

Of course not. To quote from a previous post: "you need to put in CAlist
the certificate(s) used to SIGN client certificates - a.k.a. the CA
certificate!". This part seems to have been missed by several readers
here.

The CAlist is a list of Certificate Authorities. Basically you are
telling the client browser "I am willing to accept certificates issued
by one of the following Authorities". Putting there the CLIENT
certificates just about guarantees no certificate will ever be returned
by the browser.

I hope this helps a bit - if not you may want to again read the OpenSSL
documentation a bit, in particular the man page for the
SSL_CTX_set_client_CA_list(3) family of functions.[...]
Re: Error Code: -12271 on Pound 1.8.3
Urien Ronan <ronan.urien(at)wanadoo.fr>		 2005-04-28 15:03:42 [ FULL ] 
Thanks a lot for your response,

We well understood  the mechanism of CAlist, and we had obviously put 
our  authority of certification's certificates inside (the 
certificate(s) used to SIGN client certificates).  But the problem seams 
to come from the behavior of openssl and libssl:  indeed, with the 
versions 0.9.7e of openssl and libssl we had the error:

28/Apr/2005 12:03:27 +0200: BIO_do_handshake with 192.168.1.35 failed: 
error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate 
returned


from now on with the 0.9.6c and 0.9.6e versions, we do not have any more 
this problem and the client certificates are accepted and validated by 
the authority of certification's certificates.  We seek which are the 
differences between these two versions to understand.

Thank you very much.


Robert Segall a écrit :
[...][...][...]
MailBoxer