On Tue, Oct 21, 2008 at 10:21 AM, Nigel Kersten <nigelk(at)google.com>
wrote:[...][...]
>>> root(at)host:/src/Pound-2.4.3 $ ./configure --help |grep cert1
>>>   --enable-cert1l         enable or disable single-line
certificate
>>> (default: disabled)
>>>
>>> Sorry I've taken so long to get around to testing this patch I
>>> requested a while ago, but there seem to be some problems with it.
>>>
>>> Although all transactions appear to work correctly with Mongrel
and
>>> single-line certificates, I get this in the logs:
>>>
>>> pound: (400c2960) line too long: Sep 19 15:50:01 2013 GMT
>>> pound: (400c2960) line too long:         CN =
>>> 2ac28920-d223-4f61-b937-ee9869103f91
>>> pound: (400c2960) line too long:         CN = host.mydomain.com
>>>
>>> >From looking at the source, I think these errors aren't
disastrous,
>>> and the code that checks whether MAXBUF is exceeded simply doesn't
>>> take into account the --enable-cert1l behavior, but I'm not
positive.[...][...]

I'm also unsure where this should happen. If there's anything I can do
to help shed light on the matter Robert...

[...]

On Tue, 2008-10-21 at 11:21 -0700, Nigel Kersten wrote:[...]

If you look at the source, you'll notice that the certificate is written
to the back-end regardless of line length. The message you see is
generated when Pound see a certificate-type line on input, which should
never happen.

I suggest you sniff the sockets between the client and Pound, as well as
Pound to back-end, to see where the header is generated. We'll take it
from there.[...]

On Thu, Nov 6, 2008 at 8:58 AM, Robert Segall <roseg(at)apsis.ch> wrote:
[...][...]


I don't believe this is what's happening in my case Robert. I've
double checked the traffic and there's no certificate type header
being sent on input.

If you would like I can send you some decoded ssl traffic off-list.


Perhaps this might clarify things.

From adding a few debug statements, here are where the various
complaints in get_line() are being called from:

pound: (40081960) line too long:         CN =
77bd8e13-8851-4d7e-befd-0ee55dd8b014 [1024]

is triggered from this section of code in http.c around line 893 in Pound 2.4.3

        /* if SSL put additional headers for client certificate */
        if(cur_backend->be_type == 0 && ssl != NULL) {
            SSL_CIPHER  *cipher;

            if(lstn->clnt_check > 0 && x509 != NULL &&
(bb =
BIO_new(BIO_s_mem())) != NULL) {
                X509_NAME_print_ex(bb, X509_get_subject_name(x509), 8,
XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
                get_line(bb, buf, MAXBUF);


this log line:

pound: (40081960) line too long:         CN =
sshoveler.mtv.corp.google.com [1024]

is triggered from line 911:

                X509_NAME_print_ex(bb, X509_get_issuer_name(x509), 8,
XN_FLAG_ONELINE & ~ASN1_STRFLGS_ESC_MSB);
                get_line(bb, buf, MAXBUF);


this log line:

pound: (40081960) line too long: Oct 23 16:45:22 2008 GMT [1024]

from line 924:

                ASN1_TIME_print(bb, X509_get_notBefore(x509));
                get_line(bb, buf, MAXBUF);

and this log line:

pound: (40081960) line too long: Oct 22 16:45:22 2013 GMT [1024]

from line 937:

                ASN1_TIME_print(bb, X509_get_notAfter(x509));
                get_line(bb, buf, MAXBUF);

[...]