/ Zope / Apsis / Pound Mailing List / Archive / 2010 / 2010-05 / http header 2048 bytes certificate truncated by pound

[ << ] [ >> ]

[ [Pound Mailing List] Get SSTP connections to work ... ] [ Pound - Help Backends and URL-Path / ... ]

http header 2048 bytes certificate truncated by pound
Jose Negreira <negreira(at)gmail.com>		 2010-05-25 00:21:33 [ FULL ] 
Hi
we are from Galicia, a region in northwest of Spain.
We are using pound balancer and I would like to subscribe the mailinglist
in order to try to get some help with http header certificates through pound.

In our tests it seems certificates of 2048 bytes (like id card from Spain)
are trucated when passing through pound (lost 53 bytes) at http header.
Pound is listening just http, no https.
Other http header certificates (of 1024 bytes long) goes through pound
without problem.
If I remove the pound between apache and backend, 2048 bytes
certificates then work.

the configuration is simply:

#balancer for webspace
ListenHTTP
          Address localhost
          Port    50328
          Service
                  BackEnd
                      Address 10.61.10.53
                      Port    28082
                      Timeout 180
                      Priority 5
                  End
                  Emergency
                      Address 10.61.10.63
                      Port    28082
                  End
          End
End


many thanks in advance

Jose Negreira
Xunta de Galicia
Spain
RE: [Pound Mailing List] http header 2048 bytes certificate truncated by pound
Joe Gooch <mrwizard(at)k12system.com>		 2010-05-25 00:40:57 [ FULL ] 
What options did you give to configure when you compiled pound?  (line 6-8ish
of config.log)
Which HTTP header contains the certificate?

Thanks.
Joe

Confidentiality Notice:
This e-mail transmission may contain confidential and legally privileged
information that is intended only for the individual named in the e-mail
address. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or reliance upon the contents of this
e-mail message is strictly prohibited. If you have received this e-mail
transmission in error, please reply to the sender, so that proper delivery can
be arranged, and please delete the message from your mail box.
[...]
Re: [Pound Mailing List] http header 2048 bytes certificate truncated by pound
Jose Negreira <negreira(at)gmail.com>		 2010-05-25 10:29:26 [ FULL ] 
Hi Joe

we are using a pre-compiled pound package from a solaris repository:
http://www.blastwave.org/jir/pkgcontents.ftd?software=pound2&style=brief&state=5&arch=sparc
we download the binaries for sparc or intel machine accordingly.
The information about the package:
software pound2
pkgname CSWpound2
description 2.x branch of the Pound reverse proxy, load balancer and
HTTPS front-end for Web server(s)
vendor url http://www.apsis.ch/pound/
version 2.4.4
revision 2009-01-15

The apache configuration to add the certificate in the HEADER that
goes to the pound is:
in general config:
SSLOptions +StdEnvVars +ExportCertData +CompatEnvVars +StrictRequire
RequestHeader set SSL_CLIENT_CERT %{SSL_CLIENT_CERT}e
in the location that goes through the pound
<Location /application/html/acceso>
        SSLVerifyClient require
        SSLVerifyDepth  10
        SSLOptions +StdEnvVars +ExportCertData
        ProxyPass http://localhost:50238/application/html/acceso
        ProxyPassReverse http://localhost:50238/application/html/acceso
</Location>

best regards
José



On Tue, May 25, 2010 at 12:40 AM, Joe Gooch <mrwizard(at)k12system.com>
wrote:[...][...][...]
MailBoxer