i've created my own CA ssl cert (CAcert.pem), and server cert (cert.pem).

verifying,

	openssl verify -verbose -CAfile /svr/ssl/CAcert.pem -purpose
sslserver /svr/ssl/cert.pem
		cert.pem: OK

(and, fwiw, both are used without problem in other applications ...)

in /etc/pound.cfg, i've

		...
		ListenHTTPS
		    Address xx.xx.xx.xx
		    Port    443
		    Cert       "/svr/ssl/cert.pem"
		    Ciphers    "AES256-SHA"
		    VerifyList "/svr/ssl/CAcert.pem"
106	    CAlist     "/svr/ssl/CAcert.pem"
		    ClientCert 0 1
		    Service
		        URL ".*"
		        HeadRequire "Host:.*test.mydomain.com.*"
		        BackEnd
		            Address 127.0.0.1
		            Port    8043
		        End
		    End
		End
		...

(at) pound service start, i get an error,

   line 106: SSL_load_client_CA_file "/svr/ssl/CAcert.pem" failed - aborted
error:0906D06C:PEM routines:PEM_read_bio:no start line

and pound fails to launch.

if i comment out line_No 106,

	--	    CAlist     "/svr/ssl/CAcert.pem"
	++	    #CAlist     "/svr/ssl/CAcert.pem"

pound launches without error, and i can connect just fine (btw,
Firefox (at) client, with the CA loaded, recognizes the site's cert as
valid)

but, of course, without the CAlist spec, i can't get ClientCert
checking working.

known bug? or, suggestions as to the problem?

thanks!

fyi,

in the report above, i'd installed pound from opensuse repos,

    pound-2.4.5-2.5.i586   (at)
http://download.opensuse.org/repositories/server:/http/openSUSE_Factory

just in case, i rm'd the pkg, and installed a source-build of

     http://www.apsis.ch/pound/Pound-2.5.tgz

now, if, as above, "CAlist ..." is included, the error still exists,
and is truncated to simply,

    /usr/local/etc/pound.cfg line 106: SSL_load_client_CA_file failed - aborted

with no further info (at) console or in logs.

On Wed, 2010-03-24 at 22:19 -0700, PGNet Dev wrote:[...]

Most likely your CA certificate is not in PEM format. Have a look if it
contains something like

-----BEGIN CERTIFICATE-----
MIICczCCAdygAwIBAgIBADANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJDSDEL
...
lTHD0JXi1g==
-----END CERTIFICATE-----

BTW, the CAlist has nothing to do with the client certificate
authentication, but rather it tells the client which of its certificates
to present if it has more than one.[...]

Hi,

On Fri, Mar 26, 2010 at 7:59 AM, Robert Segall <roseg(at)apsis.ch>
wrote:[...]

sure looks like it is ... and every other app that uses it seems to
recognize it as a .pem cert. here's what it contains,

 cat CAcert.pem

 -----BEGIN TRUSTED CERTIFICATE-----
 MIIH1TCCBb2gAwIBAgIES6qmYzANBgkqhkiG9w0BAQ0FADCB8jEYMBYGCgmSJomT
 ...
 BgEFBQcDCQ==
 -----END TRUSTED CERTIFICATE-----

note, however, the difference ... "TRUSTED".    i _believe_ this is a
result of specifically adding trust for the CAcert as a signer for an
OCSP global responder, with

    openssl x509 -inform PEM -in CAcertp.pem -addtrust OCSPSigning
-outform PEM -out CAcert

Is pound, perhaps, thrown off by the presence of the "TRUSTED", or
something else?

thanks.

On Fri, Mar 26, 2010 at 8:11 AM, PGNet Dev <pgnet.dev+pound(at)gmail.com>
wrote:[...]

Just tested ... created a new cer, CAcert.pem (starts BEGIN
CERTIFICATE), same procedures/data as before, and then added trust to
it, as above, but named is as a _separate cert, CAcert-trusted.pem
(starts BEGIN TRUSTED CERTIFICATE)

Verified that both certs are fully function in apache2+mod_ssl, with
no pound in the loop.  Both are OK.

With

  CAlist /svr/ssl/CAcert.pem

pound starts OK.

With

  CAlist /svr/ssl/CAcert-trusted.pem

pound fails/aborts (at) launch, reporting the same no start line error as
above.

On Fri, 2010-03-26 at 08:29 -0700, PGNet Dev wrote:[...]

You have probably compiled Pound against a version of OpenSSL without
OCSP support (I seem to recall that it is optional). In any case, what
you see is pure OpenSSL - Pound has nothing to do with it.[...]

> You have probably compiled Pound against a version of OpenSSL without[...]

it's built by default, now ...

certain, having verified, that my locally built openssl

	which openssl
		/usr/local/ssl/bin/openssl
	openssl version
		OpenSSL 0.9.8n 24 Mar 2010

DOES, in fact, contain ocsp support, I'd configure the POund-2.5 build with,

	./configure --with-ssl=/usr/local/ssl

per your question, I checked,

	ldd `which pound`
	        linux-gate.so.1 =>  (0xf57fe000)
	        libpcreposix.so.0 => /lib/libpcreposix.so.0 (0xb76e1000)
	        libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7696000)
	        libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7524000)
	        libresolv.so.2 => /lib/libresolv.so.2 (0xb750d000)
	        libdl.so.2 => /lib/libdl.so.2 (0xb7508000)
	        libm.so.6 => /lib/libm.so.6 (0xb74df000)
	        libpthread.so.0 => /lib/libpthread.so.0 (0xb74c5000)
	        libc.so.6 => /lib/libc.so.6 (0xb7365000)
	        libpcre.so.0 => /lib/libpcre.so.0 (0xb7336000)
	        libz.so.1 => /lib/libz.so.1 (0xb7321000)
	        /lib/ld-linux.so.2 (0xb7711000)

and note that it STILL links the system ssl/crypto libs ...

Looking in Pound's configure ...

	...
	# Check whether --with-ssl was given.
	if test "${with_ssl+set}" = set; then
	  withval=$with_ssl; CPPFLAGS="-I${with_ssl}/include ${CPPFLAGS}";
LDFLAGS="-L${with_ssl}/lib ${LDFLAGS}"; C_SSL="${with_ssl}"
	else
	...

identifies the problem -- no correct rpath support, or
specified/required flags for other-SSL usage.

rebuilding with,

	setenv LDFLAGS "`pkg-config --libs-only-L openssl`
-Wl,-rpath,`pkg-config --libs-only-L openssl | sed s'/-L//'`
`pkg-config --libs-only-l openssl`"
	setenv CPPFLAGS "-I/usr/local/include `pkg-config openssl --cflags`
-I/usr/include"
	./configure --with-ssl=/usr/local/ssl


where,

	pkg-config --libs   "libcrypto" && \
	pkg-config --libs   "libssl"    && \
	pkg-config --libs   "openssl"   && \
	pkg-config --cflags "openssl"

		-L/usr/local/ssl/lib -lcrypto -ldl -lz
		-L/usr/local/ssl/lib -lssl -lcrypto -ldl -lz
		-L/usr/local/ssl/lib -lssl -lcrypto -ldl -lz
		-I/usr/local/ssl/include

the build now results, correctly, in

	ldd pound
	        linux-gate.so.1 =>  (0xf57fe000)
	        libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 (0xb7873000)
	        libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
(0xb771a000)
	        libdl.so.2 => /lib/libdl.so.2 (0xb76ea000)
	        libz.so.1 => /lib/libz.so.1 (0xb76d5000)
	        libpcreposix.so.0 => /lib/libpcreposix.so.0 (0xb76d1000)
	        libresolv.so.2 => /lib/libresolv.so.2 (0xb76bb000)
	        libm.so.6 => /lib/libm.so.6 (0xb7692000)
	        libpthread.so.0 => /lib/libpthread.so.0 (0xb7678000)
	        libc.so.6 => /lib/libc.so.6 (0xb7518000)
	        /lib/ld-linux.so.2 (0xb78bd000)
	        libpcre.so.0 => /lib/libpcre.so.0 (0xb74e8000)
[...]

strange, then, that it all works fine with other SSL-using apps.

after newly-rebuilt, linked-to-local-ssl-with-ocsp-support, pound
install, and pound- service restart, testing the 2 CAcert versions --
both with additional OCSP trust, and without -- the results are as
above.

pound restarts OK with CAcert.pem, but fails (with the error above)
with CAcert-trusted.pem.

again, verifying both Certs in apache2+mod_ssl, all is OK with BOTH certs.

On Fri, 2010-03-26 at 10:29 -0700, PGNet Dev wrote:[...]

Are you sure you fully understand what CAlist is for? Do you really need
it?

In any case, I would suggest you post a bug report at OpenSSL - all
Pound does is to load your certificates. SSL_load_client_CA_file()
returns an error when presented with a trusted certificate.[...]

On Tue, Mar 30, 2010 at 7:48 AM, Robert Segall <roseg(at)apsis.ch>
wrote:[...]

Apparently not when used in mod_ssl ... which I'll use for the sites
that need it to fix the problem.

Thanks anyway!