Hi Dave,

Scratch my last email - I found: ClientCert.

I use:
ClientCert 2 2
to force using a client cert and 2 deep (hopefully mirroring 'SSLVerifyDepth  2' that I had in 141's apache httpd.conf before moving ssl to pound).

This gives me the error:
Peer does not recognize and trust the CA that issued your certificate.
(Error code: ssl_error_unknown_ca_alert)

So I'm on the right track but it looks like I need to include CAlist and VerifyList.
I read about (and hopefully understood) the difference between these but my trouble begins when trying understand how to correctly create them.

For VerifyList, I:
openssl x509 -in my_CA.crt -out my_CA.pem

For CAlist, I:
cat my_CA.pem > my_CA_list.pem

These are accepted by pound, but now the browser error I get is:
The connection to the server was reset while the page was loading.

I think I have the VerifyList pem made properly, but I'm unsure if the CAlist is really just a copy of my_CA.pem (if only one CA is listed as in my situation).

Where may I be going wrong above?

From: Pound Rproxy <poundrproxy@yahoo.com>
To: pound@apsis.ch
Sent: Sun, March 13, 2011 5:55:34 PM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound

Thanks Dave,

I found my prob (not pound ;-) and things are _partly_ working now -
https is working for the first server (lets ignore the second server =) 
__but__  it doesn't care if I use a private key or not - so anyone can see the
self-signed cert, accept it, and visit the site behind it.
I'm not sure how to configure pound to check for a private key in the users
browser.
Before I created the single pem file (from .crt and .key) to use on pound, the
machine with the self-signed cert was only visible to client browsers with a
private key.
This access restriction was created in the apache httpd.conf file with the
following:

<Directory />
...normal stuff...
<IfDefine SSL>
    SSLRequireSSL
    SSLRequire          %{SSL_CLIENT_S_DN_O}  req "CompanyName" and
    %{SSL_CLIENT_S_DN_OU} in {"CompanyDept"}
</IfDefine>
</Directory>

and:

SSLEngine On
SSL Cert dirs...
---->  SSLVerifyClient require
etc

The only way I can image doing the same now, would be to run apache on the same
server as pound, but I don't want that, and I doubt this would stick for backend
servers I want pound to redirect to.
Perhaps I should still enable ssl eg 'SSLVerifyClient require' etc on apache on
the first backend 141? This is the server that did this before I tried pound.
The only other option I see is to create the PEM on 141 and move it to the pound
server, but again, where does pound require the private key to access the
self-signed cert and backends?
My goal in using pound is to have one pem file on it, and direct a few
restricted users each with a private key to backend servers, all viewed in
https.

Please keep the suggestions coming, I'm slowing learning here! :D






________________________________
From: Dave Steinberg <dave@redterror.net>
To: pound@apsis.ch
Sent: Sun, March 13, 2011 4:01:46 AM
Subject: Re: [Pound Mailing List] Using Private Key for Client Auth with Pound

On 3/12/2011 4:18 AM, Pound Rproxy wrote:
> I currently have a server that has a self-signed SSL cert and viewing it is
> restricted by using a private key that's been exported to Firefox.
> I want to put Pound in front of this and 1 other server, so that both are
using
> the same https listener in pound.cfg and the same private key on the client
end
> for restricting access.
>
> My confusion is mostly around where to generate the server.pem for Pound.
> Do I generate the server.pem and private browser key on the pound server or
> import the server.pem from a backend server?

It doesn't matter where they are generated.  A PEM file is just a
private key + certificate, you can make it anywhere.

> If the second option, does this mean I can only have one SSL backend per Pound
> instance?

You can have many ListenHTTPS directives per pound instance, it has
nothing to do with the certificates used.

> I'm just at point of testing now (creating keys takes me a while) and have
> created a new CA, self-signed cert, pem file, and private key on the Pound
> server.
> I have commented out all SSL stuff in the Apache httpd.conf files on both
> backend servers so now they should just pass http requests back to Pound.
> I've tested that each backend resolves with http and without need for a
private
> key, as I want Pound to handle this.
> But I can't get Pound to resolve the backends. Am I doing something wrong or
> that isn't possible?
>
> Here's my pound.cfg so far:
>
> ListenHTTPS
>          Address  192.168.1.140
>                  Port    443
>                  Cert "/usr/etc/server.pem"
>                  LogLevel 2
>
>      Service
>          BackEnd
>                  Address 192.168.1.141
>                  Port 8080
>          End
>      End
>
>      Service
>          BackEnd
>                  Address 192.168.1.142
>                  Port 8083
>          End
>      End
>
> End

Your config looks fine.  What happens when you hit it, specifically?

Regards,
--
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.



     

--
To unsubscribe send an email with subject unsubscribe to pound@apsis.ch.
Please contact roseg@apsis.ch for questions.