|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2005
/
2005-09
/
Client certificates
[
BackendServer access over HTTPS / KOZMAN Balint ... ]
[
Rewrite redirect locations? / Rob Moore ... ]
Client certificates
"Matthew Bennetts (SYD)" <Matthew.Bennetts(at)foxtel.com.au> |
2005-09-14 11:18:38 |
[ FULL ]
|
I am having trouble getting Pound (1.9.1) to accept by client
certificate. The environment is entirely internal (i.e. intranet) and
we're using a self signed root certificate. The root ca was used to sign
a server certificate for pound and a client certificate. The
configuration for pound is:
LogLevel 4
User nobody
Group nobody
ListenHTTPS 192.168.1.1,443 /etc/pound/server-key-cert.pem
HTTPSHeaders 2 ""
CAlist /etc/pound/ca-list.pem
VerifyList /etc/pound/verify-list.pem 1
UrlGroup ".*"
BackEnd 192.168.1.2,80,1
EndGroup
The "ca-list.pem" file is just the root certificate (PEM format) while
the "verify-list.pem" is a copy of the root certificate with the CRL
appended to the end (also in PEM format).
When I try to connect using the openssl s_client utility I get:
CONNECTED(00000003)
depth=1 /O=.../OU=.../emailAddress=.../L=.../ST=.../C=.../CN=...
verify return:1
depth=0 /C=.../ST=.../O=.../OU=.../CN=...
verify return:1
6030:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48
6030:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:226:
After searching the mail-list archive I found the thread started by
John.D that suggests modifying the "config.h" file to change the define
"HAVE_X509_STORE_SET_FLAGS" from 1 to 0. I did this and everything works
now but I think this isn't really the right long term solution and I
believe that it's something that I'm doing wrong (since I'm new to SSL).
Can someone suggest what might wrong?
Regards,
Matthew
This e-mail, and any attachment, is confidential.
If you are not the intended recipient, please
delete it from your system, do not use or disclose
the information in any way, and notify the sender immediately.
Any views expressed in this message are those of the individual sender
and may not be the views of FOXTEL, unless specifically stated.
No warranty is made that the e-mail or attachment (s) are free
from computer viruses or other defects.
|
|
|
Re: [Pound Mailing List] Client certificates
Robert Segall <roseg(at)apsis.ch> |
2005-09-14 15:49:52 |
[ FULL ]
|
On Wed, 14 Sep 2005 19:18:38 +1000 "Matthew Bennetts (SYD)"
<Matthew.Bennetts(at)foxtel.com.au> wrote:
[...]
I assume you gave s_client the correct client certificate and key to
use, otherwise it is guaranteed to fail.
Your s_client tells you that it doesn't know the CA specified by the
server. Did you give it the CApath (or CAfile) argument?
Did you try the same with a browser? What does it tell you?
Finally: what do you see in the Pound logs?
For your info: the HAVE_X509_STORE_SET_FLAGS trick only disables the CRL
verification. I assume you have a correct CRL - but you could try simply
removing your CRL altogether and see if it helps.[...]
|
|
|
RE: [Pound Mailing List] Client certificates
"Matthew Bennetts (SYD)" <Matthew.Bennetts(at)foxtel.com.au> |
2005-09-15 00:45:07 |
[ FULL ]
|
Hi Robert,
I used the following command:
"openssl s_client -connect hostname.domainname:443 -cert client-cert.pem
-key client-key.pem -CAfile cacert.pem"
I loaded firefox with the root CA and client certificate then pointed it
at Pound and got an error message saying "...your certificate was
rejected by... Error Code: -12271". The Pound log (/var/log/message)
displays absolutely nothing when this happens. I have tried with and
without the CRL appended to the file specified by the VerifyList option
- "verify-list.pem".
The CRL I used was generated with the following command: "openssl ca
-gencrl -config ./openssl.cnf -crldays 7 -out ca.crl". I then appended
the "ca.crl" to the "verify-list.pem" using something like "cat ca.crl[...]
The only way I can get it to work is to recompile Pound without the CRL
stuff. Both the browser and s_client work.
Cheers,
Matt
-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch]
Sent: Wednesday, 14 September 2005 11:50 PM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Client certificates
On Wed, 14 Sep 2005 19:18:38 +1000 "Matthew Bennetts (SYD)"
<Matthew.Bennetts(at)foxtel.com.au> wrote:
[...]
I assume you gave s_client the correct client certificate and key to
use, otherwise it is guaranteed to fail.
Your s_client tells you that it doesn't know the CA specified by the
server. Did you give it the CApath (or CAfile) argument?
Did you try the same with a browser? What does it tell you?
Finally: what do you see in the Pound logs?
For your info: the HAVE_X509_STORE_SET_FLAGS trick only disables the CRL
verification. I assume you have a correct CRL - but you could try simply
removing your CRL altogether and see if it helps.[...]
|
|
|
Re: [Pound Mailing List] Client certificates
Robert Segall <roseg(at)apsis.ch> |
2005-09-15 18:33:15 |
[ FULL ]
|
On Thu, 15 Sep 2005 08:45:07 +1000 "Matthew Bennetts (SYD)"
<Matthew.Bennetts(at)foxtel.com.au> wrote:
[...]
Yet another OpenSSL mystery. May I ask you to try a small change, just
to see if it helps? In pound.c, line 647, try changing
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK);
to
X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
Can't hurt to try...[...]
|
|
|
|
