Hello,

I am an IT consultant in LA, and we are starting to use opensource
products to replace dedicated appliances for our customers.

I have the following setup I would like help with:
2 Windows 2000 Servers, running IIS 5 and Commerce Server 2000, Verisign
Certificates
1 Dell P4 Workstation running OpenBSD 3.7

I have installed Pound 1.9 on the BSD box, which seems to work fine for
HTTP traffic.  However, HTTPS isn't functional at all.

Question 1: what commands do I need to use to get openssl to generate a
CSR that Verisign will accept, so I can get a certificate in .PEM format
(I guess) from Verisign that will work with Pound and my 2 backend
servers?

Question 2: what directives are needed (other than below) to allow IE 5
and IE6 clients to smoothly and consistantly access the 2 back end web
servers to place orders, using both HTTP and HTTPS?

Here is my pound.cfg file so far:
ListenHTTP  12.145.154.100,80
ListenHTTPS  12.145.154.100,443 /etc/test.pem

UrlGroup    ".*"
  BackEnd     192.168.3.2,80,1
  BackEnd     192.168.3.6,80,1
  BackEnd     192.168.3.2,443,1
  BackEnd     192.168.3.6,443,1
EndGroup



 
Chris Willis
Director of Technology & Services
Castellan Inc. - Microsoft GOLD Certified Partner
818-789-0088 x203
www.castellan.net

> Hello,[...]

I guess you already have certificates which have been used on your
backends, what's wrong with them? You should be able to use them on Pound
now.
[...]

First, try this for borked IE's

ListenHTTPS 12.145.154.100,443 /etc/test.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
[...]

Try this (you doun't talk SSL to the backend anymore):
UrlGroup    ".*"
BackEnd     192.168.3.2,80,1
BackEnd     192.168.3.6,80,1
EndGroup
[...]

Meaning I can just take the .CRT file and use it with Pound?  I am not
familiar with openssl yet - how would that work exactly?  Just copy the
file over to the BSD box and use a directive like
ListenHTTPS 12.145.154.100,443 /etc/verisign1.crt
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 

-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com] 
Sent: Friday, August 05, 2005 9:40 AM
To: pound(at)apsis.ch
Cc: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Introduction and First Questions
[...]

I guess you already have certificates which have been used on your
backends, what's wrong with them? You should be able to use them on
Pound now.
[...]

First, try this for borked IE's

ListenHTTPS 12.145.154.100,443 /etc/test.pem
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
[...]

Try this (you doun't talk SSL to the backend anymore):
UrlGroup    ".*"
BackEnd     192.168.3.2,80,1
BackEnd     192.168.3.6,80,1
EndGroup
[...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1123
257635000/1123259995000

> Meaning I can just take the .CRT file and use it with Pound?  I am
not[...]

I'm far from en expert here but I think you can simply concatanate the
.key and .crt file into the .pem file. In my case .pem looks like this:

-----BEGIN RSA PRIVATE KEY-----
ZkvAoqRFq/vZJ1Cyq41EQi6WS6VPyucqGoyuw3Dx4yc7qBEahcBoM0WK0MlJn5yc
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
...
...
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
0SkQaxKZtShHNPM25ulEJDcZFMPTs7ZdnQuXvePSHhYJ
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDQwNDA5MjAyMTA3WhcN
...
...
bu/5CfpKt5ACEBhWXKky097FOlcGSJMrw1b8LmVPW558g3NBFfv7KLqe0ZYFT5Gr
rj5BvgKiN/WpT0F64QoZ4YAWM1s+ABxUoDqV/nKJuZQ=
-----END CERTIFICATE-----
[...][...][...][...][...][...][...][...][...][...][...]

I believe you need to make sure the key isn't password protected, too.

-marc

---
Marc Nicholas - First Associates Investments Inc.
Senior Manager, Application Services
Technology Group - 26 Wellington St. E., Suite 300, Toronto ON M5A 2S1
V.416.864.3557 C.416.627.6471 E.mnicholas(at)firstassociates.com

-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com] 
Sent: Friday, August 05, 2005 1:33 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Introduction and First Questions
[...]

I'm far from en expert here but I think you can simply concatanate the
.key and .crt file into the .pem file. In my case .pem looks like this:

-----BEGIN RSA PRIVATE KEY-----
ZkvAoqRFq/vZJ1Cyq41EQi6WS6VPyucqGoyuw3Dx4yc7qBEahcBoM0WK0MlJn5yc
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
...
...
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
0SkQaxKZtShHNPM25ulEJDcZFMPTs7ZdnQuXvePSHhYJ
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDQwNDA5MjAyMTA3WhcN
...
...
bu/5CfpKt5ACEBhWXKky097FOlcGSJMrw1b8LmVPW558g3NBFfv7KLqe0ZYFT5Gr
rj5BvgKiN/WpT0F64QoZ4YAWM1s+ABxUoDqV/nKJuZQ=
-----END CERTIFICATE-----
[...][...][...][...][...][...][...][...][...][...][...]
35000/1123261606000[...]

[...]

Still not working.  I used some googled directions (included below) to
export my IIS certificate into a .pkr file that I was able to manipulate
with openssl.

My system is OpenBSD 3.7, Pound 1.9, and the 2 backend servers in the
pound.cfg file are both IIS 5 & Windows 2000.

Here is the output:
-bash-3.00# pound -v -f /etc/pound.cfg
SSL_CTX_use_PrivateKey_file failed - aborted
-bash-3.00#

Here is the pound.cfg:
ListenHTTP  12.145.154.100,80
ListenHTTPS  12.145.154.100,443 /etc/spectrumchemicals_pound.pem

UrlGroup    ".*"
  BackEnd     192.168.3.2,80,1
  BackEnd     192.168.3.6,80,1
  BackEnd     192.168.3.2,443,1
  BackEnd     192.168.3.6,443,1
EndGroup

And here is the .pem file:
-----BEGIN RSA PRIVATE KEY-----
AEgG4m1mlqZxvvo49K11MsB5l2b0cABstvmLdg91z1wn4fZIEDnbNp0tbam5SfYb
TKtrqvp+DQUQhG1UbmSX9aFTGkiOO79Lx1C+lJ9eglrwNReMApcff/g9L9ZvAIJf
{snip}
gjs+qrIfbuUj0Zt9aavgf51b9CeAQ7Vx0uvLSh+IRH8vlTmzwgCfvav+XKgLVa6j
Gds6TSv3T/i6fnNQEv47fUoL00EIvQf4yEZ7qhfLBpU=
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIENDCCA6GgAwIBAgIQPS4U5uL/c8D81FWqi/L9XjANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEgMB4GA1UEChMXUlNBIERhdGEgU2VjdXJpdHksIEluYy4x
{snip}
JQP9GrRPRg+5gqEqFuUPaGUasNdJBPiFjhWs18oto0wTmDXhqIVDv864lvkpTAly
/VJ+zKiL3nU8tSlC583LDyaBijIi1OzD9eWHEVkfZlTgxQ/slJqKf5GvwTGIHaei
614QeYXpsNo6oisyt9h3AM3G3fO3NWO3
-----END CERTIFICATE-----

Finally, here are the instructions I followed to get the cert & key
files that I combined into one .PEM file for pound:
First Export your IIS certificate into a pfx file (this is something you
should do anyways for backup)

    * Run mmc.exe
    * Click the 'Console' menu and then click 'Add/Remove Snap-in'.
    * Click the 'Add' button and then choose the 'certificates' snap-in
and click on 'Add'.
    * Select 'Computer Account' then click 'Next'.
    * Select 'Local Computer' and then click 'OK'.
    * Click 'Close' and then click 'OK'.
    * Expand the menu for 'Certificates' and click on the 'Personal'
folder.
    * Right click on the certificate that you want to export and select
'All tasks' -> 'Export'.
    * A wizard will appear. Make sure you check the box to include the
private key and continue through with this wizard until you have a .PFX
file.

Next run openssl to extract the private key, and the cert file.

# Export the private key file from the pfx file
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
# Export the certificate file from the pfx file
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
# This removes the passphrase from the private key so Apache won't
# prompt you for your passphase when it starts
openssl rsa -in key.pem -out server.key



-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com] 
Sent: Friday, August 05, 2005 10:33 AM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Introduction and First Questions
[...]
[...]

I'm far from en expert here but I think you can simply concatanate the
.key and .crt file into the .pem file. In my case .pem looks like this:

-----BEGIN RSA PRIVATE KEY-----
ZkvAoqRFq/vZJ1Cyq41EQi6WS6VPyucqGoyuw3Dx4yc7qBEahcBoM0WK0MlJn5yc
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
...
...
KpoHqEfBMpKmOsPuQw/RAkBFjb5I2To60Fc1nd5fB6Hxq1JO48XanBi5JjHISwAy
0SkQaxKZtShHNPM25ulEJDcZFMPTs7ZdnQuXvePSHhYJ
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
aXQxHjAcBgNVBAMTFWxvY2FsaG9zdC5sb2NhbGRvbWFpbjEpMCcGCSqGSIb3DQEJ
ARYacm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4wHhcNMDQwNDA5MjAyMTA3WhcN
...
...
bu/5CfpKt5ACEBhWXKky097FOlcGSJMrw1b8LmVPW558g3NBFfv7KLqe0ZYFT5Gr
rj5BvgKiN/WpT0F64QoZ4YAWM1s+ABxUoDqV/nKJuZQ=
-----END CERTIFICATE-----
[...][...]
[...][...][...][...][...][...][...][...][...][...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1123
257635000/1123263199000

> Still not working.  I used some googled directions (included below)
to[...]

I told you last time to remove the SSL backends here, they won't work. You
speak SSL to 12.145.154.100 and pound speaks plain http to the backends
192.168.3.2 and 192.168.3.6.

Simon
[...][...][...][...]
>>>
>>> I am an IT consultant in LA, and we are starting to use opensource
>>> products to replace dedicated appliances for our customers.
>>>
>>> I have the following setup I would like help with:
>>> 2 Windows 2000 Servers, running IIS 5 and Commerce Server 2000,
>>> Verisign Certificates
>>> 1 Dell P4 Workstation running OpenBSD 3.7
>>>
>>> I have installed Pound 1.9 on the BSD box, which seems to work
fine
>>> for HTTP traffic.  However, HTTPS isn't functional at all.
>>>
>>> Question 1: what commands do I need to use to get openssl to
generate[...]
>>> format (I guess) from Verisign that will work with Pound and my 2
>>> backend servers?[...]
>>> Question 2: what directives are needed (other than below) to allow
IE
>>> 5 and IE6 clients to smoothly and consistantly access the 2 back
end
>>> web servers to place orders, using both HTTP and HTTPS?
>>>
>>> Here is my pound.cfg file so far:
>>> ListenHTTP  12.145.154.100,80
>>> ListenHTTPS  12.145.154.100,443 /etc/test.pem[...]
>>> UrlGroup    ".*"
>>>   BackEnd     192.168.3.2,80,1
>>>   BackEnd     192.168.3.6,80,1
>>>   BackEnd     192.168.3.2,443,1
>>>   BackEnd     192.168.3.6,443,1
>>> EndGroup[...]
>>>
>>>
>>>
>>> Chris Willis
>>> Director of Technology & Services
>>> Castellan Inc. - Microsoft GOLD Certified Partner
>>> 818-789-0088 x203
>>> www.castellan.net
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to[...]
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1
>>> 1
>>> 23257635000
>>>
>>>[...][...][...][...]

I haven't gotten to that point yet - I need to see pound start before I
plug it in and start testing the LB of traffic.

What could the error I listed below mean? 

-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com] 
Sent: Wednesday, August 10, 2005 2:44 PM
To: pound(at)apsis.ch
Cc: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Introduction and First Questions
[...]
[...]

I told you last time to remove the SSL backends here, they won't work.
You speak SSL to 12.145.154.100 and pound speaks plain http to the
backends
192.168.3.2 and 192.168.3.6.

Simon
[...]
[...][...][...][...][...]
[...]
this:[...][...]
>>>
>>> I am an IT consultant in LA, and we are starting to use opensource

>>> products to replace dedicated appliances for our customers.
>>>
>>> I have the following setup I would like help with:
>>> 2 Windows 2000 Servers, running IIS 5 and Commerce Server 2000, 
>>> Verisign Certificates
>>> 1 Dell P4 Workstation running OpenBSD 3.7
>>>
>>> I have installed Pound 1.9 on the BSD box, which seems to work
fine 
>>> for HTTP traffic.  However, HTTPS isn't functional at all.
>>>
>>> Question 1: what commands do I need to use to get openssl to 
>>> generate[...]
>>> format (I guess) from Verisign that will work with Pound and my 2 
>>> backend servers?[...]
>>> Question 2: what directives are needed (other than below) to allow

>>> IE
>>> 5 and IE6 clients to smoothly and consistantly access the 2 back
end

>>> web servers to place orders, using both HTTP and HTTPS?
>>>
>>> Here is my pound.cfg file so far:
>>> ListenHTTP  12.145.154.100,80
>>> ListenHTTPS  12.145.154.100,443 /etc/test.pem[...]
>>> UrlGroup    ".*"
>>>   BackEnd     192.168.3.2,80,1
>>>   BackEnd     192.168.3.6,80,1
>>>   BackEnd     192.168.3.2,443,1
>>>   BackEnd     192.168.3.6,443,1
>>> EndGroup[...]
>>>
>>>
>>>
>>> Chris Willis
>>> Director of Technology & Services
>>> Castellan Inc. - Microsoft GOLD Certified Partner
>>> 818-789-0088 x203
>>> www.castellan.net
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to[...]
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/
>>> 1
>>> 1
>>> 23257635000
>>>
>>>[...][...][...][...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1123
257635000/1123710255000

> I haven't gotten to that point yet - I need to see pound start before
I[...]
From the SSL docs:
SSL_CTX_use_PrivateKey_file() adds the first private key found in file
to ctx. The formatting type of the certificate must be specified from
the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.

Looks like the key in your .pem is somehow unusable. Look at
/etc/spectrumchemicals_pound.pem again, does it look like a PEM file?
Unfortunately I'm really no SSL expert...
[...][...][...][...][...][...]
>>> not[...]
>>> the[...][...][...]
>>> 12.145.154.100,443 /etc/verisign1.crt
>>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>
>>> -----Original Message-----
>>> From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com]
>>> Sent: Friday, August 05, 2005 9:40 AM
>>> To: pound(at)apsis.ch
>>> Cc: pound(at)apsis.ch
>>> Subject: Re: [Pound Mailing List] Introduction and First Questions
>>>
>>>> Hello,
>>>>
>>>> I am an IT consultant in LA, and we are starting to use
opensource
>>>> products to replace dedicated appliances for our customers.
>>>>
>>>> I have the following setup I would like help with:
>>>> 2 Windows 2000 Servers, running IIS 5 and Commerce Server
2000,
>>>> Verisign Certificates
>>>> 1 Dell P4 Workstation running OpenBSD 3.7
>>>>
>>>> I have installed Pound 1.9 on the BSD box, which seems to work
fine
>>>> for HTTP traffic.  However, HTTPS isn't functional at all.
>>>>
>>>> Question 1: what commands do I need to use to get openssl to
>>>> generate[...]
>>>> format (I guess) from Verisign that will work with Pound and
my 2
>>>> backend servers?
>>>
>>> I guess you already have certificates which have been used on your
>>> backends, what's wrong with them? You should be able to use them
on
>>> Pound now.
>>>
>>>>
>>>> Question 2: what directives are needed (other than below) to
allow
>>>> IE
>>>> 5 and IE6 clients to smoothly and consistantly access the 2
back end[...]
>>>>
>>>> Here is my pound.cfg file so far:
>>>> ListenHTTP  12.145.154.100,80
>>>> ListenHTTPS  12.145.154.100,443 /etc/test.pem
>>>
>>> First, try this for borked IE's
>>>
>>> ListenHTTPS 12.145.154.100,443 /etc/test.pem
>>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>
>>>>
>>>> UrlGroup    ".*"
>>>>   BackEnd     192.168.3.2,80,1
>>>>   BackEnd     192.168.3.6,80,1
>>>>   BackEnd     192.168.3.2,443,1
>>>>   BackEnd     192.168.3.6,443,1
>>>> EndGroup
>>>
>>> Try this (you doun't talk SSL to the backend anymore):
>>> UrlGroup    ".*"
>>> BackEnd     192.168.3.2,80,1
>>> BackEnd     192.168.3.6,80,1
>>> EndGroup
>>>
>>>>
>>>>
>>>>
>>>>
>>>> Chris Willis
>>>> Director of Technology & Services
>>>> Castellan Inc. - Microsoft GOLD Certified Partner
>>>> 818-789-0088 x203
>>>> www.castellan.net
>>>>
>>>>
>>>> --
>>>> To unsubscribe send an email with subject 'unsubscribe' to
>>> pound(at)apsis.ch.
>>>> Please contact roseg(at)apsis.ch for questions.
>>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/
>>>> 1
>>>> 1
>>>> 23257635000
>>>>
>>>>
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to
>>> pound(at)apsis.ch.
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1
>>> 1
>>> 23
>>> 257635000/1123259995000
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to[...]
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1
>>> 1
>>> 23257635000/1123261606000
>>>
>>>[...][...][...][...]

On Wed, 10 Aug 2005 11:27:21 -0700 "Chris Willis"
<chris(at)castellan.net>
wrote:
[...]

OpenBSD comes with OpenSSL libraries without thread support. You'll need
to compile your own version with threads support and make sure you
actually link to it. Probably easiest if you modify your Makefile to
link against the newly compiled static libraries.
[...]

You can't talk SSL to back-ends. Remove the last two lines.
[...]

Are you consulting for the government by any chance? Otherwise I can't
imagine why would you use 3 commands where one is quite enough:

openssl pkcs12 -in filename.pfx -nodes -out server.pem

The file server.pem will contain your certificate and your private key,
without encryption (the -nodes flag). The error you get indicates your
private key is not usable - most likely because it is still encrypted.[...]

Yep, that was it - it is working very well now that the PEM file has a
key with no password on it.  Thanks for the help :)


-----Original Message-----
From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com] 
Sent: Wednesday, August 10, 2005 10:38 PM
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Introduction and First Questions
[...]
From the SSL docs:
SSL_CTX_use_PrivateKey_file() adds the first private key found in file
to ctx. The formatting type of the certificate must be specified from
the known types SSL_FILETYPE_PEM, SSL_FILETYPE_ASN1.

Looks like the key in your .pem is somehow unusable. Look at
/etc/spectrumchemicals_pound.pem again, does it look like a PEM file?
Unfortunately I'm really no SSL expert...
[...][...][...][...]
[...][...][...][...][...]
[...]
[...]
>>> not[...]
>>> the[...][...][...]
>>> 12.145.154.100,443 /etc/verisign1.crt 
>>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>
>>> -----Original Message-----
>>> From: Simon Matter [mailto:simon.matter(at)ch.sauter-bc.com]
>>> Sent: Friday, August 05, 2005 9:40 AM
>>> To: pound(at)apsis.ch
>>> Cc: pound(at)apsis.ch
>>> Subject: Re: [Pound Mailing List] Introduction and First Questions
>>>
>>>> Hello,
>>>>
>>>> I am an IT consultant in LA, and we are starting to use
opensource 
>>>> products to replace dedicated appliances for our customers.
>>>>
>>>> I have the following setup I would like help with:
>>>> 2 Windows 2000 Servers, running IIS 5 and Commerce Server
2000, 
>>>> Verisign Certificates
>>>> 1 Dell P4 Workstation running OpenBSD 3.7
>>>>
>>>> I have installed Pound 1.9 on the BSD box, which seems to work
fine

>>>> for HTTP traffic.  However, HTTPS isn't functional at all.
>>>>
>>>> Question 1: what commands do I need to use to get openssl to 
>>>> generate[...]

>>>> format (I guess) from Verisign that will work with Pound and
my 2 
>>>> backend servers?
>>>
>>> I guess you already have certificates which have been used on your

>>> backends, what's wrong with them? You should be able to use them
on 
>>> Pound now.
>>>
>>>>
>>>> Question 2: what directives are needed (other than below) to
allow 
>>>> IE
>>>> 5 and IE6 clients to smoothly and consistantly access the 2
back 
>>>> end[...]
>>>>
>>>> Here is my pound.cfg file so far:
>>>> ListenHTTP  12.145.154.100,80
>>>> ListenHTTPS  12.145.154.100,443 /etc/test.pem
>>>
>>> First, try this for borked IE's
>>>
>>> ListenHTTPS 12.145.154.100,443 /etc/test.pem 
>>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>>>
>>>>
>>>> UrlGroup    ".*"
>>>>   BackEnd     192.168.3.2,80,1
>>>>   BackEnd     192.168.3.6,80,1
>>>>   BackEnd     192.168.3.2,443,1
>>>>   BackEnd     192.168.3.6,443,1
>>>> EndGroup
>>>
>>> Try this (you doun't talk SSL to the backend anymore):
>>> UrlGroup    ".*"
>>> BackEnd     192.168.3.2,80,1
>>> BackEnd     192.168.3.6,80,1
>>> EndGroup
>>>
>>>>
>>>>
>>>>
>>>>
>>>> Chris Willis
>>>> Director of Technology & Services
>>>> Castellan Inc. - Microsoft GOLD Certified Partner
>>>> 818-789-0088 x203
>>>> www.castellan.net
>>>>
>>>>
>>>> --
>>>> To unsubscribe send an email with subject 'unsubscribe' to
>>> pound(at)apsis.ch.
>>>> Please contact roseg(at)apsis.ch for questions.
>>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08
>>>> /
>>>> 1
>>>> 1
>>>> 23257635000
>>>>
>>>>
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to 
>>> pound(at)apsis.ch.
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/
>>> 1
>>> 1
>>> 23
>>> 257635000/1123259995000
>>>
>>> --
>>> To unsubscribe send an email with subject 'unsubscribe' to[...]
>>> Please contact roseg(at)apsis.ch for questions.
>>> http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/
>>> 1
>>> 1
>>> 23257635000/1123261606000
>>>
>>>[...][...][...][...]
pound(at)apsis.ch.[...]


--
To unsubscribe send an email with subject 'unsubscribe' to
pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.
http://192.168.1.2:8080/Apsis/pound/pound_list/archive/2005/2005-08/1123
257635000/1123738680000