|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2010
/
2010-03
/
pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
[
OCSP Stapling support in pound? / PGNet Dev ... ]
[
How to change catch all to specific URL? / ... ]
pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-25 06:19:26 |
[ SNIP ]
|
i've created my own CA ssl cert (CAcert.pem), and server cert (cert.pem).
verifying,
openssl verify -verbose -CAfile /svr/ssl/CAcert.pem -purpose
sslserver /svr/ssl/cert.pem
cert.pem: OK
(and, fwiw, both are used without problem in other applications ...)
in /etc/pound.cfg, i've
...
ListenHTTPS
Address xx.xx.xx.xx
Port 443
Cert "/svr/ssl/cert.pem"
Ciphers "AES256-SHA"
VerifyList "/svr/ssl/CAcert.pem"
106 CAlist "/svr/ssl/CAcert.pem"
ClientCert 0 1
Service
URL ".*"
HeadRequire "Host:.*test.mydomain.com.*"
BackEnd
Address 127.0.0.1
Port 8043
End
End
End
...
(at) pound service start, i get an error,
line 106: SSL_load_client_CA_file "/svr/ssl/CAcert.pem" failed - aborted
error:0906D06C:PEM routines:PEM_read_bio:no start line
and pound fails to launch.
if i comment out line_No 106,
-- CAlist "/svr/ssl/CAcert.pem"
++ #CAlist "/svr/ssl/CAcert.pem"
pound launches without error, and i can connect just fine (btw,
Firefox (at) client, with the CA loaded, recognizes the site's cert as
valid)
but, of course, without the CAlist spec, i can't get ClientCert
checking working.
known bug? or, suggestions as to the problem?
thanks!
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-25 18:00:39 |
[ SNIP ]
|
fyi,
in the report above, i'd installed pound from opensuse repos,
pound-2.4.5-2.5.i586 (at)
http://download.opensuse.org/repositories/server:/http/openSUSE_Factory
just in case, i rm'd the pkg, and installed a source-build of
http://www.apsis.ch/pound/Pound-2.5.tgz
now, if, as above, "CAlist ..." is included, the error still exists,
and is truncated to simply,
/usr/local/etc/pound.cfg line 106: SSL_load_client_CA_file failed - aborted
with no further info (at) console or in logs.
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
Robert Segall <roseg(at)apsis.ch> |
2010-03-26 15:59:12 |
[ SNIP ]
|
On Wed, 2010-03-24 at 22:19 -0700, PGNet Dev wrote:
> i've created my own CA ssl cert (CAcert.pem), and server cert (cert.pem).
>
> verifying,
>
> openssl verify -verbose -CAfile /svr/ssl/CAcert.pem -purpose
> sslserver /svr/ssl/cert.pem
> cert.pem: OK
>
> (and, fwiw, both are used without problem in other applications ...)
>
> in /etc/pound.cfg, i've
>
> ...
> ListenHTTPS
> Address xx.xx.xx.xx
> Port 443
> Cert "/svr/ssl/cert.pem"
> Ciphers "AES256-SHA"
> VerifyList "/svr/ssl/CAcert.pem"
> 106 CAlist "/svr/ssl/CAcert.pem"
> ClientCert 0 1
> Service
> URL ".*"
> HeadRequire "Host:.*test.mydomain.com.*"
> BackEnd
> Address 127.0.0.1
> Port 8043
> End
> End
> End
> ...
>
> (at) pound service start, i get an error,
>
> line 106: SSL_load_client_CA_file "/svr/ssl/CAcert.pem" failed - aborted
> error:0906D06C:PEM routines:PEM_read_bio:no start line
>
> and pound fails to launch.
>
> if i comment out line_No 106,
>
> -- CAlist "/svr/ssl/CAcert.pem"
> ++ #CAlist "/svr/ssl/CAcert.pem"
>
> pound launches without error, and i can connect just fine (btw,
> Firefox (at) client, with the CA loaded, recognizes the site's cert as
> valid)
>
> but, of course, without the CAlist spec, i can't get ClientCert
> checking working.
>
> known bug? or, suggestions as to the problem?
Most likely your CA certificate is not in PEM format. Have a look if it
contains something like
-----BEGIN CERTIFICATE-----
MIICczCCAdygAwIBAgIBADANBgkqhkiG9w0BAQQFADB0MQswCQYDVQQGEwJDSDEL
...
lTHD0JXi1g==
-----END CERTIFICATE-----
BTW, the CAlist has nothing to do with the client certificate
authentication, but rather it tells the client which of its certificates
to present if it has more than one.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-26 16:11:33 |
[ SNIP ]
|
Hi,
On Fri, Mar 26, 2010 at 7:59 AM, Robert Segall <roseg(at)apsis.ch> wrote:
> Most likely your CA certificate is not in PEM format. Have a look if it
> contains something like
sure looks like it is ... and every other app that uses it seems to
recognize it as a .pem cert. here's what it contains,
cat CAcert.pem
-----BEGIN TRUSTED CERTIFICATE-----
MIIH1TCCBb2gAwIBAgIES6qmYzANBgkqhkiG9w0BAQ0FADCB8jEYMBYGCgmSJomT
...
BgEFBQcDCQ==
-----END TRUSTED CERTIFICATE-----
note, however, the difference ... "TRUSTED". i _believe_ this is a
result of specifically adding trust for the CAcert as a signer for an
OCSP global responder, with
openssl x509 -inform PEM -in CAcertp.pem -addtrust OCSPSigning
-outform PEM -out CAcert
Is pound, perhaps, thrown off by the presence of the "TRUSTED", or
something else?
thanks.
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-26 16:29:48 |
[ SNIP ]
|
On Fri, Mar 26, 2010 at 8:11 AM, PGNet Dev <pgnet.dev+pound(at)gmail.com>
wrote:
> Is pound, perhaps, thrown off by the presence of the "TRUSTED", or
> something else?
Just tested ... created a new cer, CAcert.pem (starts BEGIN
CERTIFICATE), same procedures/data as before, and then added trust to
it, as above, but named is as a _separate cert, CAcert-trusted.pem
(starts BEGIN TRUSTED CERTIFICATE)
Verified that both certs are fully function in apache2+mod_ssl, with
no pound in the loop. Both are OK.
With
CAlist /svr/ssl/CAcert.pem
pound starts OK.
With
CAlist /svr/ssl/CAcert-trusted.pem
pound fails/aborts (at) launch, reporting the same no start line error as
above.
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
Robert Segall <roseg(at)apsis.ch> |
2010-03-26 16:59:06 |
[ SNIP ]
|
On Fri, 2010-03-26 at 08:29 -0700, PGNet Dev wrote:
> On Fri, Mar 26, 2010 at 8:11 AM, PGNet Dev <pgnet.dev+pound(at)gmail.com>
wrote:
> > Is pound, perhaps, thrown off by the presence of the "TRUSTED", or
> > something else?
>
> Just tested ... created a new cer, CAcert.pem (starts BEGIN
> CERTIFICATE), same procedures/data as before, and then added trust to
> it, as above, but named is as a _separate cert, CAcert-trusted.pem
> (starts BEGIN TRUSTED CERTIFICATE)
>
> Verified that both certs are fully function in apache2+mod_ssl, with
> no pound in the loop. Both are OK.
>
> With
>
> CAlist /svr/ssl/CAcert.pem
>
> pound starts OK.
>
> With
>
> CAlist /svr/ssl/CAcert-trusted.pem
>
> pound fails/aborts (at) launch, reporting the same no start line error as
above.
You have probably compiled Pound against a version of OpenSSL without
OCSP support (I seem to recall that it is optional). In any case, what
you see is pure OpenSSL - Pound has nothing to do with it.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-26 18:29:22 |
[ SNIP ]
|
> You have probably compiled Pound against a version of OpenSSL without
> OCSP support (I seem to recall that it is optional).
it's built by default, now ...
certain, having verified, that my locally built openssl
which openssl
/usr/local/ssl/bin/openssl
openssl version
OpenSSL 0.9.8n 24 Mar 2010
DOES, in fact, contain ocsp support, I'd configure the POund-2.5 build with,
./configure --with-ssl=/usr/local/ssl
per your question, I checked,
ldd `which pound`
linux-gate.so.1 => (0xf57fe000)
libpcreposix.so.0 => /lib/libpcreposix.so.0 (0xb76e1000)
libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0xb7696000)
libcrypto.so.0.9.8 => /usr/lib/libcrypto.so.0.9.8 (0xb7524000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb750d000)
libdl.so.2 => /lib/libdl.so.2 (0xb7508000)
libm.so.6 => /lib/libm.so.6 (0xb74df000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb74c5000)
libc.so.6 => /lib/libc.so.6 (0xb7365000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb7336000)
libz.so.1 => /lib/libz.so.1 (0xb7321000)
/lib/ld-linux.so.2 (0xb7711000)
and note that it STILL links the system ssl/crypto libs ...
Looking in Pound's configure ...
...
# Check whether --with-ssl was given.
if test "${with_ssl+set}" = set; then
withval=$with_ssl; CPPFLAGS="-I${with_ssl}/include ${CPPFLAGS}";
LDFLAGS="-L${with_ssl}/lib ${LDFLAGS}"; C_SSL="${with_ssl}"
else
...
identifies the problem -- no correct rpath support, or
specified/required flags for other-SSL usage.
rebuilding with,
setenv LDFLAGS "`pkg-config --libs-only-L openssl`
-Wl,-rpath,`pkg-config --libs-only-L openssl | sed s'/-L//'`
`pkg-config --libs-only-l openssl`"
setenv CPPFLAGS "-I/usr/local/include `pkg-config openssl --cflags`
-I/usr/include"
./configure --with-ssl=/usr/local/ssl
where,
pkg-config --libs "libcrypto" && \
pkg-config --libs "libssl" && \
pkg-config --libs "openssl" && \
pkg-config --cflags "openssl"
-L/usr/local/ssl/lib -lcrypto -ldl -lz
-L/usr/local/ssl/lib -lssl -lcrypto -ldl -lz
-L/usr/local/ssl/lib -lssl -lcrypto -ldl -lz
-I/usr/local/ssl/include
the build now results, correctly, in
ldd pound
linux-gate.so.1 => (0xf57fe000)
libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 (0xb7873000)
libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
(0xb771a000)
libdl.so.2 => /lib/libdl.so.2 (0xb76ea000)
libz.so.1 => /lib/libz.so.1 (0xb76d5000)
libpcreposix.so.0 => /lib/libpcreposix.so.0 (0xb76d1000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb76bb000)
libm.so.6 => /lib/libm.so.6 (0xb7692000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7678000)
libc.so.6 => /lib/libc.so.6 (0xb7518000)
/lib/ld-linux.so.2 (0xb78bd000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb74e8000)
> In any case, what you see is pure OpenSSL - Pound has nothing to do with it.
strange, then, that it all works fine with other SSL-using apps.
after newly-rebuilt, linked-to-local-ssl-with-ocsp-support, pound
install, and pound- service restart, testing the 2 CAcert versions --
both with additional OCSP trust, and without -- the results are as
above.
pound restarts OK with CAcert.pem, but fails (with the error above)
with CAcert-trusted.pem.
again, verifying both Certs in apache2+mod_ssl, all is OK with BOTH certs.
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
Robert Segall <roseg(at)apsis.ch> |
2010-03-30 16:48:05 |
[ SNIP ]
|
On Fri, 2010-03-26 at 10:29 -0700, PGNet Dev wrote:
> pound restarts OK with CAcert.pem, but fails (with the error above)
> with CAcert-trusted.pem.
>
> again, verifying both Certs in apache2+mod_ssl, all is OK with BOTH certs.
Are you sure you fully understand what CAlist is for? Do you really need
it?
In any case, I would suggest you post a bug report at OpenSSL - all
Pound does is to load your certificates. SSL_load_client_CA_file()
returns an error when presented with a trusted certificate.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
Re: [Pound Mailing List] pound failing to load valid CAcert in CAfile -> "error:0906D06C:PEM routines:PEM_read_bio:no start line"
PGNet Dev <pgnet.dev+pound(at)gmail.com> |
2010-03-30 17:16:40 |
[ SNIP ]
|
On Tue, Mar 30, 2010 at 7:48 AM, Robert Segall <roseg(at)apsis.ch> wrote:
> In any case, I would suggest you post a bug report at OpenSSL - all
> Pound does is to load your certificates. SSL_load_client_CA_file()
> returns an error when presented with a trusted certificate.
Apparently not when used in mod_ssl ... which I'll use for the sites
that need it to fix the problem.
Thanks anyway!
|
|
|
|
