Hi All,

I'm trying to use Pound as a reverse proxy to multiple apache's, with SSL and
SNI support.
I have used the same SSL certificates with apache and nginx and they worked
well with the servername in de Common Name field (CN).

With "pound-2.6c", it doesn't work. Only one SSL certificate works, because the
code seems to compare the wrong item from the certificate to the SNI
servername.
For my certificate it seems to compare the emailadres
"sander(at)eikelenboom.it" instead of the CN "backup.eikelenboom.it" (that
would match the SNI servername.)

--
Sander


The info from the certificate:

root(at)webproxy:/etc/pound# openssl x509 -in backup.eikelenboom.it.crt -inform
PEM -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 7 (0x7)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT services,
CN=Eikelenboom IT services CA/emailAddress=Sander(at)Eikelenboom.IT
        Validity
            Not Before: May  1 16:03:45 2010 GMT
            Not After : May  1 16:03:45 2011 GMT
        Subject: C=NL, ST=Noord-Brabant, L=Eindhoven, O=Eikelenboom IT
services, OU=backup,
CN=backup.eikelenboom.it/emailAddress=Sander(at)Eikelenboom.IT
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (4096 bit)

  <SNIP>

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                TinyCA Generated Certificate
            X509v3 Subject Key Identifier:
                44:4F:07:F1:66:E7:92:45:D3:4A:55:33:65:26:34:CE:D8:93:AD:09
            X509v3 Authority Key Identifier:
               
keyid:BA:E9:75:01:FB:61:98:25:BF:7A:BF:1D:4C:A5:34:52:62:4F:44:D7
                DirName:/C=NL/ST=Noord-Brabant/L=Eindhoven/O=Eikelenboom IT
services/CN=Eikelenboom IT services CA/emailAddress=Sander(at)Eikelenboom.IT
                serial:A8:CF:55:3F:39:E2:FB:60

            X509v3 Issuer Alternative Name:
                email:Sander(at)Eikelenboom.IT
            X509v3 Subject Alternative Name:
                email:Sander(at)Eikelenboom.IT
    Signature Algorithm: sha1WithRSAEncryption

 <SNIP>

Seems i have fixed it.
The problem is that the current code assumes the "commonname" to be the last
item of the Subject, which isn't always true.
The code now should also support multiple CN's in a certificate.

Patch is attached, please review, since C isn't my normal programming language.

--
Sander



Thursday, April 7, 2011, 5:31:24 PM, you wrote:
[...]
[...]
[...]
[...]

[...]
[...]
[...]
[...]
[...]
[...]
[...]

[...]


[...]

If you remove the fnmatch and replace it with strcasecmp, then wildcard
certificates won't match. (i.e. www.domain.org won't match a *.domain.org
certificate)

I'll look further at the X509 stuff.

Joe
[...]

Ah didn't think of the wildcard case, stupid of me ...

But the fnmatch seemed to result in a segfault while matching.
Seems i still have a problem, initially it seems to parse all 4 certificates
from the config file.
While matching, there only seem to be 2 left (the first and the last)


Friday, April 8, 2011, 7:06:21 PM, you wrote:
[...]
[...]
[...]
[...]
[...]


[...]

Ok i have reverted the strcasecmp to fnmatch, no segfault so that seems to have
been my imagination.
So the point left to discover is why only the first and last "Cert("")" seem to
be used for the matching (although all certs get parsed on startup)

Friday, April 8, 2011, 7:06:21 PM, you wrote:
[...]
[...]
[...]
[...]
[...]


[...]

On Thu, 2011-04-07 at 17:31 +0200, Sander Eikelenboom wrote:[...]

I must admit this is the first time that I see a certififcate in this
format (CN=backup.eikelenboom.it/emailAddress=Sander(at)Eikelenboom.IT). Is
this a normal server certificate (as opposed to an "EMail-only"
certificate)? As a self-signed certificate, I suppose you can do
whatever you want. I am not even sure that this is legal: what exactly
is the CN? I would say it depends on what parser you use, but it could
be backup.eikelenboom.it or backup.eikelenboom.it/emailAddress or even
backup.eikelenboom.it/emailAddress=Sander(at)Eikelenboom.IT.

Could people on the list please check their "official" certificates to
see if this is normal practice?[...]

It's a self-signed certificate, produced by TinyCA2 which is a wrapper around
Openssl.
After adjusting the code, so it's not using deprecated methods from openssl, it
derives the CN properly (only the CN backup.eikelenboom.it without the
mailaddress)

The same certificate is parsed OK by apache and nginx

Only problem now is the part of the code that stores the CN when the config
gets parsed.
It seems it only stores the first and last certificate, the rest is omitted or
overwritten somehow.


--
Sander


Monday, April 11, 2011, 10:23:41 AM, you wrote:
[...][...]
[...]
[...]


[...]

Also the examples on http://en.wikipedia.org/wiki/X.509
seem to use the same structure. So it probably depends if you specify a email
address or not.



Monday, April 11, 2011, 10:23:41 AM, you wrote:
[...][...]
[...]
[...]


[...]