Apparently the client certificate validation in Pound v2.1 is broken (in my
case), while it works readily in the current release v2.4.3.
I would like to know why because the v2.1 Pound I am using has some custom
patches I would prefer not to have to port to v2.4.3.
To test I built:
and tried all of these with the same Pound config file. Only the 2.4.3 version
works. The problems I encountered with v2.1 are identical to those described
by Eckard Koch in a previous thread (http://www.apsis.ch/pound/pound_list/archive/2006/2006-02/1140153406000)
Any insight into how to correct this in v2.1 would be appreciated. It may be
that I have done something wrong (which works in v2.4.3)?
In my case the CA used to sign the client certs is self-created and is the only
CA in both CAlist and VerifyList. Details below.
The config file is:
AddHeader "X-Forwarded-Proto: https"
ClientCert 2 1
The CA and certs were generated with OpenSSL as follows:
To create the CA:
openssl genrsa -des3 -out demoCA/private/CA_key.pem 2048
openssl req -new -key demoCA/private/CA_key.pem -x509 -days 365 -out
To make a signed client cert:
openssl genrsa -out clientA_privkey.pem 2048
openssl req -new -key clientA_privkey.pem -out clientA_request.csr
openssl x509 -req -days 365 -in clientA_request.csr -CA demoCA/CA_cert.cer
-CAkey demoCA/private/CA_key.pem -CAcreateserial -out clientA.cer
To combine client key and cert and convert to pkcs12 format (for FireFox):
openssl pkcs12 -export -in clientA.cer -inkey clientA_privkey.pem -out
To create CAlist.pem (which is identical to VerifyList.pem):
cat demoCA/private/CA_key.pem demoCA/CA_cert.cer > CAlist.pem
To test the SSL handshake from a remote server:
openssl s_client -host 192.168.123.74 -port 443 -showcerts -ssl3 -cert
clientA.cer -key clientA_privkey.pem -state