OK, still working on this issue, but i have some valuable information
regarding the "cert" that pound will present to the web clients. On
CAcert.org in the wiki there is a nice lengthy discussion about
virtualhosting and SSL certificates
(http://wiki.cacert.org/wiki/VhostTaskForce)
which discusses
methodologies to create an SSL certificate for multiple domains that
co-exist within a single IP address on a web server. So, to that end i
created a CSR with a single CN and multiple subjectAltName's and once
signed, created a PEM file containing the private key as well as the
signed certificate. I added the following stanza to pound.cfg, as in the
following:
 
ListenHTTPS
    Address 10.10.240.201
    Port    443
    Cert    "/usr/share/ssl/certs/agcom.pem"
    Ciphers
"ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL"
    xHTTP   1
    Service
        HeadRequire      "Host:.*dev.americangreetings.com.*"
        BackEnd
            Address 10.10.240.101
            Port 444
        End
    End
    Service
         HeadRequire      "Host:.*dev.bluemountain.com.*"
         BackEnd
             Address 10.10.240.201
             Port 16043
         End
    End
    Service
         HeadRequire      "Host:.*dev.egreetings.com.*"
         BackEnd
             Address 10.10.240.201
             Port 12343
         End
    End
End
 
all pointing to a single PEM file containing the certificate using a
single CN and multiple subjectAltName's, but when i make a request to
say https://dev.egreetings.com, i get
the following error after i accept
the presented certficate in the message log:
 
Nov 23 13:42:51 dev-ng pound: can't read header
Nov 23 13:42:51 dev-ng pound: response error read from
10.10.240.201:12343: Success
Nov 23 13:42:51 dev-ng pound: MONITOR: worker exited on signal 11,
restarting...
 
and this on the client side:
 
500 Internal Server Error
An internal server error occurred. Please try again later.

Any ideas on what i did wrong, or whats going on here?

Thanks in advance,

Michael Weiner

On Wed, 2005-11-23 at 13:59 -0500, MW Mike Weiner (5028) wrote:[...]

If you are not yet at 2.0b3 please upgrade - that version fixes an issue
with HeadRequire directives. If in doubt just try removing the
directives from your test config and see if it helps.

If you are at 2.0b3 try using a regular certificate (single
subjectAltName) and see if that makes a difference.[...]

-----Original Message-----
From: Robert Segall [mailto:roseg(at)apsis.ch] 
Sent: Thursday, November 24, 2005 3:17 AM
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] SSL Vhosts in Pound 2

On Wed, 2005-11-23 at 13:59 -0500, MW Mike Weiner (5028) wrote:[...]

If you are not yet at 2.0b3 please upgrade - that version fixes an issue
with HeadRequire directives. If in doubt just try removing the
directives from your test config and see if it helps.

If you are at 2.0b3 try using a regular certificate (single
subjectAltName) and see if that makes a difference.
--
Robert -

Thank you for your response, I did as suggested, as I was already at
v2b3, so I pointed to a singular certificate (pem formatted) and still
get the following:

Nov 24 08:17:40 dev-ng pound: can't read header
Nov 24 08:17:40 dev-ng pound: response error read from
10.10.240.201:16043: Success
Nov 24 08:17:40 dev-ng pound: MONITOR: worker exited on signal 11,
restarting...

Any means of debugging to see what is actually going on?

Thanks again
Michael Weiner

On Thu, 2005-11-24 at 08:24 -0500, MW Mike Weiner (5028) wrote:[...]

Try a regular debugger or use any standard debugging method.

For regular HTTP (such as between Pound and the back-end) you can use
something like tcpwatch to see what passes on the wire. The syslog
messages indicate a problem in the response from a back-end, so it might
be of interest.

I find LiveHTTPHeaders in Firefox very useful for looking at requests
and responses.

Let me know what you find out.

P.S. please fix your Outlook quoting - it's very difficult to separate
between the quoted message and your reply.[...]