Hi everyone,
I'm still stuck on this, so I'm really hoping that someone can offer me ideas of things to try to either get it working or to figure out what's going wrong.
Many thanks,
Sarah
-----Original Message-----
From: Sarah Brennan [mailto:sarah.brennan@navman.com]
Sent: Wednesday, 16 August 2006 10:25 a.m.
To: pound@apsis.ch
Subject: [Pound Mailing List] Need help with Client Certificate Validation (Pound v2.1)
Hi everyone,
I'm trying to get Client Certificate Validation working with Pound v2.1
but it doesn't seem to like me.
Here's my pound configuration file...
ListenHTTPS
Address 1.12.123.44
Port 443
Cert "/usr/local/etc/server_cert.pem"
ClientCert 2 9
CAlist "/usr/local/etc/calist.pem"
VerifyList "/usr/local/etc/vertifylist.pem"
End
#
LogLevel 2
#
Service
Backend
Address 1.12.123.44
Port 8080
TimeOut 360
End
Session
Type BASIC
TTL 36000
End
End
For the certificates, I'm using the following...
* Server certificate
* Self signed certificate created using openssl
* Certificate Authority
* Created a CA using openssl
* Client certificate
* Created by openssl and signed using the CA I previously
created
The CAlist file contains the CA I created, which should be correct.
The VerifyList file contains the CA I created. This file may be wrong as
the man page mentions it should also contain the CRL, but I'm not
exactly sure what this is.
I'm using Firefox as my test browser which has the client certificate
installed in pkcs12 format. Btw, I used openssl to convert the client
certificate into pkcs12 format.
When I browse to the server URL with ClientCert set to "3 9", everything
works fine. The server asks for a client certificate and I select the
certificate I installed from the list and the connection goes through -
makes sense as no client certificate validation is occurring yet.
When I change the ClientCert value to "2 9" then it fails. The server
still asks for a client certificate, and I select my imported
certificate but the connection fails after that and I get the error
message...
"Could not establish an encrypted connection because your certificate
was rejected by <server-name>. Error Code: -12271"
Something else I've noticed is that I don't seem to get a lot of logging
output. If the connection goes through then I see the GET request in the
log ( E.g. Aug 17 23:29:57 <server-name> pound: 1.12.123.44 GET
/test-jaxrpc/test HTTP/1.1 - HTTP/1.1 200 OK (:8080) ), but that's all.
If the connection fails (i.e. validation was turned on), then I don't
see anything in the log. Is there a way for me to get more logging
details to show up in the log?
As far as I can tell, I have a client certificate which is signed by the
CA in my CAlist and VerifyList files and thus I think it should work,
but it doesn't and the lack of logging details is making it hard for me
to see what's going on.
Any assistance in getting this working would be greatly appreciated.
Many thanks,
Sarah
--
To unsubscribe send an email with subject 'unsubscribe' to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.
http://www.apsis.ch/pound/pound_list/archive/2006/2006-08/1155680722000