/ Zope / Apsis / Pound Mailing List / Archive / 2008 / 2008-10 / Pound 2.1 client cert validation broken / 2.4.3 works

[ << ] [ >> ]

[ Include Directive Wanted / Fat Bear Incorporated ... ] [ Certificates in .cer format / "Victor E. ... ]

Pound 2.1 client cert validation broken / 2.4.3 works
Stephen Quintero <stephen(at)3tera.com>		 2008-10-22 23:05:34 [ FULL ] 
Apparently the client certificate validation in Pound v2.1 is broken (in my
case), while it works readily in the current release v2.4.3.

I would like to know why because the v2.1 Pound I am using has some custom
patches I would prefer not to have to port to v2.4.3.

To test I built:

v2.1     patched
v2.1     unmodified
v2.4.3   unmodified

and tried all of these with the same Pound config file.  Only the 2.4.3 version
works.  The problems I encountered with v2.1 are identical to those described
by Eckard Koch in a previous thread (http://www.apsis.ch/pound/pound_list/archive/2006/2006-02/1140153406000)

Any insight into how to correct this in v2.1 would be appreciated.  It may be
that I have done something wrong (which works in v2.4.3)?

In my case the CA used to sign the client certs is self-created and is the only
CA in both CAlist and VerifyList.  Details below.

Thank you,

Stephen Quintero


DETAILS:

The config file is:

User "nobody"
Group "nobody"
Daemon 1
LogLevel 0
Alive 10

Service
   BackEnd
      Address http
      Port 80
      TimeOut 300
   End
End

ListenHTTPS
   Address 192.168.123.74
   Port 443
   Client  20
   Cert "/mnt/key/server.pem"
   HeadRemove "X-Forwarded-Proto"
   AddHeader "X-Forwarded-Proto: https"

   ClientCert 2 1
   CAlist "/mnt/key/CAlist.pem"
   VerifyList "/mnt/key/VerifyList.pem"
End

ListenHTTP
   Address 192.168.123.74
   Port    80
   Client  15
   RewriteLocation 0
   Service
      BackEnd
         Address 127.0.0.1
         Port 80
      End
   End
End

The CA and certs were generated with OpenSSL as follows:

To create the CA:

mkdir demoCA
mkdir demoCA/private
openssl genrsa -des3 -out demoCA/private/CA_key.pem 2048
openssl req -new -key demoCA/private/CA_key.pem -x509 -days 365 -out
demoCA/CA_cert.cer

To make a signed client cert:

openssl genrsa -out clientA_privkey.pem 2048
openssl req -new -key clientA_privkey.pem -out clientA_request.csr
openssl x509 -req -days 365 -in clientA_request.csr -CA demoCA/CA_cert.cer
-CAkey demoCA/private/CA_key.pem -CAcreateserial -out clientA.cer

To combine client key and cert and convert to pkcs12 format (for FireFox):

openssl pkcs12 -export -in clientA.cer -inkey clientA_privkey.pem -out
clientA.p12

To create CAlist.pem (which is identical to VerifyList.pem):

cat demoCA/private/CA_key.pem demoCA/CA_cert.cer > CAlist.pem

To test the SSL handshake from a remote server:

openssl s_client -host 192.168.123.74 -port 443 -showcerts -ssl3 -cert
clientA.cer -key clientA_privkey.pem -state
MailBoxer