Hi,

I'm having problems with the verification of client certificates under Pound
2.1.3 and OpenSSL 0.9.8d. I've searched the mainling list, but none of the
emails have any concrete or complete solutions as to how people fixed their
problems - hence this email to the list. I hope someone can help me.

I only want to validate certificates from one CA that have been signed by
the CA itself, i.e. the certificate chain has a depth of 1 (is this
correct?) and CAList and VerifiyList contain the same CA certificate (I'm
ignoring CRLs for now).

I've set ClientCert to 3 after reading [1]. So, my pound.cfg file is:

LogLevel 2

ListenHTTPS
  Address 0.0.0.0
  Port    443
  Cert    "/path/to/server/cert_and_key.pem"
  ClientCert 3 1
  CAlist "/path/to/ca/cert.pem"
  VerifyList "/path/to/ca/cert.pem"
  #pass along https hint
  AddHeader "X-Forwarded-Proto: https"
  Service
    BackEnd
      Address 0.0.0.0
      Port    3000
    End
  End
End

My browser only has a CA signed user certificate in it, together with the CA
certificate. Both appear as valid in the browser's certificate dialog.

When I try to connect to Pound in my browser (https://0.0.0.0/app) I get the
message "An internal server error occurred. Please try again later." In the
syslog I get "response error read from 0.0.0.0:3000: Unknown error: 0". My
application works if I connect to http://0.0.0.0:3000/app directly or set
ClientCert to '0'.

So, I'm not actually sure why this is failing, I'd expect the Client Cert
verification to fail, but the syslog entry is confusing me.

Thanks for any help anyone can offer.

Michael.

[1] http://www.apsis.ch/pound/pound_list/archive/2006/2006-02/1140153406000

Hi,

I've worked out a few things (which is always the way afer asking for help)
and think I found some problems with the CA cert (not issued by me, btw)
that have been rectified. Now I can connect using the ClientCert set to 3,
though I don't get the client cert passed to my app. Setting ClientCert to 2
gives me a browser error of "0.0.0.0 has received an incorrect or unexpected
message. Error Code: -12227". I've searched the archives and Googled, but
can't find any reference to this error code for Pound.

As I mentioned in the previous email I've got my signed user certificate and
CA certificate (the same as configured for Pound) in my browser.

Can anyone tell me what this error means?

Thanks again,

Michael.

For reference, this is the same error we get when connecting to apache via
stunnel where stunnel is configured to require a client side cert and where
the browser doesn't have the cert installed.


On 10/3/06 12:53 PM, "Michael Parkin" <michaelparkin(at)gmail.com> wrote:
[...]

Hi all,

As I know backend is this part of configuration where you TELL pound 
where to connect ?!?!?

So how you understand such a command :

  BackEnd
     Address 0.0.0.0
     Port    3000

Connect to ALL IPs in the whole world at port 3000 ? ;)
I bet there is not so powerful balancer yet ;)

Michael Parkin wrote:[...]
[...]

Hi Ted,

Thanks for your reply.

On 10/3/06, Ted Dunning <tdunning(at)veoh.com> wrote:[...]


I figured this problem is something to do with the client cert in the
browser, but if it's in my browser (together with the CA cert that signed
it) and is showing as 'valid', then what?

Thanks,

Michael.

Hi Sefan,

Thanks for your reply.

On 10/4/06, Stefan Lambrev <stefan.lambrev(at)sun-fish.com> wrote:
[...]


I started Mongrel which gave me the message "** Mongrel available at
0.0.0.0:3000" so I pointed Pound's back end to this. It's working and the
problem is with certificates, not the configuration.

If you'd like to explain a bit further why I may be configuring the back end
incorrectly I would be most appreciative.

Thanks again,

Michael.

Hi,

Michael Parkin wrote:[...][...][...]


When you make connection you must have TARGET(IP/HOST) and PORT
Just like www.yahoo.com:80.
Not sure how pound implement this 0.0.0.0:3000, may be it just uses all 
of your local
IPs, which doesn't seems right for me.
For backend you have to point to the right IP where your backend listen 
(the web server/s)
On LISTEN you can use 0.0.0.0 and it means for pound to "listen" to all 
available IPs on the
server, but your clients will not access your site using 0.0.0.0:80 :) 
they will need a realIP for this.
In brief let's say you have 3 backends on 10.1.1.1,10.1.1.2,10.1.1.3 - 
then you have to put
BackEnd section 3 times and the first have to contain Address 10.1.1.1 
the second 10.1.1.2 and so on.

I guess the only reason this configuration to work right now is because 
your balancer(pound) and your web server(s)
are running on the same machine, but it still doesn't seems right to me.[...]
[...]

Hi Stefan,

On 10/4/06, Stefan Lambrev <stefan.lambrev(at)sun-fish.com> wrote:
[...]


In brief let's say you have 3 backends on 10.1.1.1,10.1.1.2,10.1.1.3 -[...]


Yes, I understand this is how to configure load-balancing from the Pound
homepage.

[...]


Yes, this is exactly the reason I'm using 0.0.0.0 - Pound and Mongrel are on
the same laptop. I've just started developing using the Ruby on Rails /
single Mongrel web server / Pound stack and am figuring out to do client
authentication using ssl (we all have to start somewhere :-)).

When it comes to full testing/deployment/usage my back end(s) will have a
fixed IP address(es) in the DMZ, but for now 0.0.0.0 will do.

Thanks again,

Michael.

p.s. Any ideas on the certificate problem this email was originally about?!

On Tue, 2006-10-03 at 19:38 +0100, Michael Parkin wrote:[...]

Most likely your browser doesn't know to send the required certificate;
it probably receives some values in the CAlist which do not match
anything in its certificate store. Try using ClientCert 3 9 (just to be
on the safe side) and no CAlist at all just to see if you receive some
certificate.[...]

On Oct 4, 2006, at 3:07 AM, Michael Parkin wrote:
<snip>
[...]

0.0.0.0 will not do.  It's a way of saying "ALL interfaces", which  
works when you are telling a daemon to LISTEN there, but no to SEND  
there.  Which is what you're defining.  Pick an IP that mongrel  
responds on for your BackEnd, even 127.0.0.1 would do.

-Blake

Hi Blake,

On 10/4/06, Blake Barnett <shadoi(at)nanovoid.com> wrote:[...]


Thanks for the explaination. I've now changed mongrel to listen on
127.0.0.1and Pound to send there.

Michael.

Hi Robert,

On 10/4/06, Robert Segall <roseg(at)apsis.ch> wrote:[...]


I tried ClientCert 3 9 with no CAlist and got the same response. Even using
openssl s_client I can't see the client certificate being sent.

Digging around, I think I know what the problem is but don't have enough
knowledge of CA certs to configure Pound.

Briefly, I found that the CA I'm using [1] created a new CA certificate in
August, signed by a new CA root certificate. The new CA cert signed the
server certificate. The client (user) certificate was signed by the 'old' CA
cert (as it was issued before August). I'm told this has even confused some
of the 'experts' using this CA, so this may explain some of the problems (as
I'm not an expert).

So, in Pound I've got the two .pem CA certs in my CAlist (as these are the
signers of the certs I want clients to present). Is this correct?

In the VeryifyList file I've got the .pem CA root cert and both the old and
new CA certs as this provides the chain to verify the presented certs.
Correct?

In my browser I've got the user key/cert, old and new CA cert and root cert
(to validate the server's certificate).

Thanks again for all the help you've offered.

Michael.

[1] http://www.grid-support.ac.uk/ca/