Hi Robert,
The parsing of the CN name is OK now, as i said earlier there still is a
problem only the first and last certificate seems to be matched,
although all are parsed from the config file without error.
--
Sander
When pound starts:
Starting reverse proxy and load balancer: poundstarting...
CN=<backup.eikelenboom.it>
CN=<git.eikelenboom.it>
CN=<davical.eikelenboom.it>
CN=<security.eikelenboom.it>
So all have been parsed OK.
Below the log after applying the patch below:
root(at)webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c config.c
--- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200
+++ config.c 2011-04-11 19:20:00.000000000 +0200
(at)(at) -795,18 +795,19 (at)(at)
return SSL_TLSEXT_ERR_NOACK;
/* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s",
servername); */
SSL_set_SSL_CTX(ssl, NULL);
- for(pc = ctx; pc; pc = pc->next)
+ for(pc = ctx; pc; pc = pc->next){
+ logmsg(LOG_DEBUG, "try to match pc->server_name %s to server_name
%s",pc->server_name,server_name);
if(fnmatch(pc->server_name, server_name, 0) == 0) {
/* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
SSL_set_SSL_CTX(ssl, pc->ctx);
return SSL_TLSEXT_ERR_OK;
}
-
- /* logmsg(LOG_DEBUG, "No match for %s, default used", server_name); */
+ }
+ logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
SSL_set_SSL_CTX(ssl, ctx->ctx);
return SSL_TLSEXT_ERR_OK;
}
#endif
Here you see the output when iterating through the certificates, only the first
and last present.
Apr 11 19:21:46 webproxy pound: try to match pc->server_name
backup.eikelenboom.it to server_name davical.eikelenboom.it
Apr 11 19:21:46 webproxy pound: try to match pc->server_name
security.eikelenboom.it to server_name davical.eikelenboom.it
Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it, default
used
Probably the parsing code isn't storing the certificates properly in the
variable or overwriting them somewhere in:
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
/* we have support for SNI */
FILE *fcert;
char server_name[MAXBUF], *cp;
X509 *x509;
if(has_other)
conf_err("Cert directives MUST precede other SSL-specific
directives - aborted");
if(res->ctx) {
for(pc = res->ctx; res->next; res = res->next)
;
if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = pc->next;
} else {
if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = res->ctx;
}
if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
conf_err("SSL_CTX_new failed - aborted");
pc->server_name = NULL;
pc->next = NULL;
lin[matches[1].rm_eo] = '\0';
if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
matches[1].rm_so) != 1)
conf_err("SSL_CTX_use_certificate_chain_file failed -
aborted");
if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + matches[1].rm_so,
SSL_FILETYPE_PEM) != 1)
conf_err("SSL_CTX_use_PrivateKey_file failed - aborted");
if(SSL_CTX_check_private_key(pc->ctx) != 1)
conf_err("SSL_CTX_check_private_key failed - aborted");
if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
conf_err("ListenHTTPS: could not open certificate file");
if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
conf_err("ListenHTTPS: could not get certificate subject");
fclose(fcert);
memset(server_name, '\0', MAXBUF);
X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
X509_free(x509);
if(!regexec(&CNName, server_name, 4, matches, 0)) {
server_name[matches[1].rm_eo] = '\0';
if((pc->server_name = strdup(server_name +
matches[1].rm_so)) == NULL)
conf_err("ListenHTTPS: could not set certificate subject");
} else
conf_err("ListenHTTPS: could not get certificate CN");
fprintf(stderr, "CN=<%s>\n", pc->server_name);
#else
/* no SNI support */
Monday, April 11, 2011, 4:06:39 PM, you wrote:
[...]
[...]
[...]
[...]
[...]
|
