|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2011
/
2011-04
/
ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
[
sessions through out all servers / Adrian Padilla ... ]
[
Remember to increase TimeOut to avoid 'An ... ]
ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Robert Segall <roseg(at)apsis.ch> |
2011-04-11 16:06:39 |
[ SNIP ]
|
This is to announce the release of Pound v2.6d. This is an experimental
version - the fourth (and hopefully the last prior to the stable
release) in the 2.6 series. Changes since version 2.6c:
Enhancements:
- added parsing for the certificate CN
Bug fixes:
- fixed problem in task enqueing
- fixed small problem in Makefile
The software is at version 2.6d (beta quality). Further testing
(especially under heavy loads), improvements and suggestions are
welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Albert <pound(at)alacra.com> |
2011-04-11 19:00:39 |
[ SNIP ]
|
Thanks Robert. The problem with task enqueing fixed the problem on our
system where pound version 2.5c & 2.6c were blowing up.
However, you have "-Wno-unused-result" option for gcc in the configure
file. One CentOS/Redhat versions, gcc doesn't recognize that option.
Can you remove it from the configure?
Lastly, the website has the wrong file for Pound-2.6a.tgz
(http://www.apsis.ch/pound/Pound-2.6a.tgz). When untarred, it has
version Pound-2.6b
Thanks.
Albert
On 4/11/2011 10:06 AM, Robert Segall wrote:
> This is to announce the release of Pound v2.6d. This is an experimental
> version - the fourth (and hopefully the last prior to the stable
> release) in the 2.6 series. Changes since version 2.6c:
>
> Enhancements:
> - added parsing for the certificate CN
>
> Bug fixes:
> - fixed problem in task enqueing
> - fixed small problem in Makefile
>
> The software is at version 2.6d (beta quality). Further testing
> (especially under heavy loads), improvements and suggestions are
> welcome.
|
|
|
|
|
Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Sander Eikelenboom <linux(at)eikelenboom.it> |
2011-04-11 19:29:02 |
[ SNIP ]
|
Hi Robert,
The parsing of the CN name is OK now, as i said earlier there still is a
problem only the first and last certificate seems to be matched,
although all are parsed from the config file without error.
--
Sander
When pound starts:
Starting reverse proxy and load balancer: poundstarting...
CN=<backup.eikelenboom.it>
CN=<git.eikelenboom.it>
CN=<davical.eikelenboom.it>
CN=<security.eikelenboom.it>
So all have been parsed OK.
Below the log after applying the patch below:
root(at)webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c config.c
--- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200
+++ config.c 2011-04-11 19:20:00.000000000 +0200
(at)(at) -795,18 +795,19 (at)(at)
return SSL_TLSEXT_ERR_NOACK;
/* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s",
servername); */
SSL_set_SSL_CTX(ssl, NULL);
- for(pc = ctx; pc; pc = pc->next)
+ for(pc = ctx; pc; pc = pc->next){
+ logmsg(LOG_DEBUG, "try to match pc->server_name %s to server_name
%s",pc->server_name,server_name);
if(fnmatch(pc->server_name, server_name, 0) == 0) {
/* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
SSL_set_SSL_CTX(ssl, pc->ctx);
return SSL_TLSEXT_ERR_OK;
}
-
- /* logmsg(LOG_DEBUG, "No match for %s, default used", server_name); */
+ }
+ logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
SSL_set_SSL_CTX(ssl, ctx->ctx);
return SSL_TLSEXT_ERR_OK;
}
#endif
Here you see the output when iterating through the certificates, only the first
and last present.
Apr 11 19:21:46 webproxy pound: try to match pc->server_name
backup.eikelenboom.it to server_name davical.eikelenboom.it
Apr 11 19:21:46 webproxy pound: try to match pc->server_name
security.eikelenboom.it to server_name davical.eikelenboom.it
Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it, default
used
Probably the parsing code isn't storing the certificates properly in the
variable or overwriting them somewhere in:
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
/* we have support for SNI */
FILE *fcert;
char server_name[MAXBUF], *cp;
X509 *x509;
if(has_other)
conf_err("Cert directives MUST precede other SSL-specific
directives - aborted");
if(res->ctx) {
for(pc = res->ctx; res->next; res = res->next)
;
if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = pc->next;
} else {
if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = res->ctx;
}
if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
conf_err("SSL_CTX_new failed - aborted");
pc->server_name = NULL;
pc->next = NULL;
lin[matches[1].rm_eo] = '\0';
if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
matches[1].rm_so) != 1)
conf_err("SSL_CTX_use_certificate_chain_file failed -
aborted");
if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + matches[1].rm_so,
SSL_FILETYPE_PEM) != 1)
conf_err("SSL_CTX_use_PrivateKey_file failed - aborted");
if(SSL_CTX_check_private_key(pc->ctx) != 1)
conf_err("SSL_CTX_check_private_key failed - aborted");
if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
conf_err("ListenHTTPS: could not open certificate file");
if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
conf_err("ListenHTTPS: could not get certificate subject");
fclose(fcert);
memset(server_name, '\0', MAXBUF);
X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
X509_free(x509);
if(!regexec(&CNName, server_name, 4, matches, 0)) {
server_name[matches[1].rm_eo] = '\0';
if((pc->server_name = strdup(server_name + matches[1].rm_so))
== NULL)
conf_err("ListenHTTPS: could not set certificate subject");
} else
conf_err("ListenHTTPS: could not get certificate CN");
fprintf(stderr, "CN=<%s>\n", pc->server_name);
#else
/* no SNI support */
Monday, April 11, 2011, 4:06:39 PM, you wrote:
> This is to announce the release of Pound v2.6d. This is an experimental
> version - the fourth (and hopefully the last prior to the stable
> release) in the 2.6 series. Changes since version 2.6c:
> Enhancements:
> - added parsing for the certificate CN
> Bug fixes:
> - fixed problem in task enqueing
> - fixed small problem in Makefile
> The software is at version 2.6d (beta quality). Further testing
> (especially under heavy loads), improvements and suggestions are
> welcome.
--
Best regards,
Sander mailto:linux(at)eikelenboom.it
|
|
|
RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Joe Gooch <mrwizard(at)k12system.com> |
2011-04-11 19:37:38 |
[ SNIP ]
|
Change
for(pc = res->ctx; res->next; res = res->next)
To:
for(pc = res->ctx; res->next; pc = res->next)
And retest.
Joe
> -----Original Message-----
> From: Sander Eikelenboom [mailto:linux(at)eikelenboom.it]
> Sent: Monday, April 11, 2011 1:29 PM
> To: Robert Segall
> Cc: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
> load balancer - v2.6d
>
> Hi Robert,
>
> The parsing of the CN name is OK now, as i said earlier there still is
> a problem only the first and last certificate seems to be matched,
> although all are parsed from the config file without error.
>
> --
> Sander
>
>
> When pound starts:
> Starting reverse proxy and load balancer: poundstarting...
> CN=<backup.eikelenboom.it>
> CN=<git.eikelenboom.it>
> CN=<davical.eikelenboom.it>
> CN=<security.eikelenboom.it>
>
> So all have been parsed OK.
>
>
>
> Below the log after applying the patch below:
>
> root(at)webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c
> config.c
> --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200
> +++ config.c 2011-04-11 19:20:00.000000000 +0200
> (at)(at) -795,18 +795,19 (at)(at)
> return SSL_TLSEXT_ERR_NOACK;
>
> /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername %s",
> servername); */
>
> SSL_set_SSL_CTX(ssl, NULL);
> - for(pc = ctx; pc; pc = pc->next)
> + for(pc = ctx; pc; pc = pc->next){
> + logmsg(LOG_DEBUG, "try to match pc->server_name %s to
> server_name %s",pc->server_name,server_name);
> if(fnmatch(pc->server_name, server_name, 0) == 0) {
> /* logmsg(LOG_DEBUG, "Found cert for %s", servername); */
> SSL_set_SSL_CTX(ssl, pc->ctx);
> return SSL_TLSEXT_ERR_OK;
> }
> -
> - /* logmsg(LOG_DEBUG, "No match for %s, default used",
> server_name); */
> + }
> + logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
> SSL_set_SSL_CTX(ssl, ctx->ctx);
> return SSL_TLSEXT_ERR_OK;
> }
> #endif
>
>
>
> Here you see the output when iterating through the certificates, only
> the first and last present.
>
> Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> backup.eikelenboom.it to server_name davical.eikelenboom.it
> Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> security.eikelenboom.it to server_name davical.eikelenboom.it
> Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it,
> default used
>
>
>
>
> Probably the parsing code isn't storing the certificates properly in
> the variable or overwriting them somewhere in:
>
> #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> /* we have support for SNI */
> FILE *fcert;
> char server_name[MAXBUF], *cp;
> X509 *x509;
>
> if(has_other)
> conf_err("Cert directives MUST precede other SSL-
> specific directives - aborted");
> if(res->ctx) {
> for(pc = res->ctx; res->next; res = res->next)
> ;
> if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
> conf_err("ListenHTTPS new POUND_CTX: out of memory
> - aborted");
> pc = pc->next;
> } else {
> if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
> conf_err("ListenHTTPS new POUND_CTX: out of memory
> - aborted");
> pc = res->ctx;
> }
> if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
> conf_err("SSL_CTX_new failed - aborted");
> pc->server_name = NULL;
> pc->next = NULL;
> lin[matches[1].rm_eo] = '\0';
> if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
> matches[1].rm_so) != 1)
> conf_err("SSL_CTX_use_certificate_chain_file failed -
> aborted");
> if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin +
> matches[1].rm_so, SSL_FILETYPE_PEM) != 1)
> conf_err("SSL_CTX_use_PrivateKey_file failed -
> aborted");
> if(SSL_CTX_check_private_key(pc->ctx) != 1)
> conf_err("SSL_CTX_check_private_key failed - aborted");
> if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
> conf_err("ListenHTTPS: could not open certificate
> file");
> if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
> conf_err("ListenHTTPS: could not get certificate
> subject");
> fclose(fcert);
> memset(server_name, '\0', MAXBUF);
> X509_NAME_oneline(X509_get_subject_name(x509), server_name,
> MAXBUF - 1);
> X509_free(x509);
> if(!regexec(&CNName, server_name, 4, matches, 0)) {
> server_name[matches[1].rm_eo] = '\0';
> if((pc->server_name = strdup(server_name +
> matches[1].rm_so)) == NULL)
> conf_err("ListenHTTPS: could not set certificate
> subject");
> } else
> conf_err("ListenHTTPS: could not get certificate CN");
> fprintf(stderr, "CN=<%s>\n", pc->server_name);
> #else
> /* no SNI support */
>
>
>
>
>
> Monday, April 11, 2011, 4:06:39 PM, you wrote:
>
> > This is to announce the release of Pound v2.6d. This is an
> experimental
> > version - the fourth (and hopefully the last prior to the stable
> > release) in the 2.6 series. Changes since version 2.6c:
>
> > Enhancements:
> > - added parsing for the certificate CN
>
> > Bug fixes:
> > - fixed problem in task enqueing
> > - fixed small problem in Makefile
>
> > The software is at version 2.6d (beta quality). Further testing
> > (especially under heavy loads), improvements and suggestions are
> > welcome.
>
>
>
> --
> Best regards,
> Sander mailto:linux(at)eikelenboom.it
>
>
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
|
|
|
RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Joe Gooch <mrwizard(at)k12system.com> |
2011-04-11 19:39:36 |
[ SNIP ]
|
Revised... take 2.
Change
for(pc = res->ctx; res->next; res = res->next)
To:
for(pc = res->ctx; pc->next; pc = pc->next)
And retest :)
Joe
Joseph Gooch
Sapphire Suite Product Manager
K12 Systems, Inc.
(866) 366-9540
Confidentiality Notice:
This e-mail transmission may contain confidential and legally privileged
information that is intended only for the individual named in the e-mail
address. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or reliance upon the contents of this
e-mail message is strictly prohibited. If you have received this e-mail
transmission in error, please reply to the sender, so that proper delivery can
be arranged, and please delete the message from your mail box.
> -----Original Message-----
> From: Joe Gooch
> Sent: Monday, April 11, 2011 1:38 PM
> To: pound(at)apsis.ch; Robert Segall
> Subject: RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
> load balancer - v2.6d
>
> Change
> for(pc = res->ctx; res->next; res = res->next)
>
> To:
> for(pc = res->ctx; res->next; pc = res->next)
>
> And retest.
>
> Joe
>
>
> > -----Original Message-----
> > From: Sander Eikelenboom [mailto:linux(at)eikelenboom.it]
> > Sent: Monday, April 11, 2011 1:29 PM
> > To: Robert Segall
> > Cc: pound(at)apsis.ch
> > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
> > load balancer - v2.6d
> >
> > Hi Robert,
> >
> > The parsing of the CN name is OK now, as i said earlier there still
> is
> > a problem only the first and last certificate seems to be matched,
> > although all are parsed from the config file without error.
> >
> > --
> > Sander
> >
> >
> > When pound starts:
> > Starting reverse proxy and load balancer: poundstarting...
> > CN=<backup.eikelenboom.it>
> > CN=<git.eikelenboom.it>
> > CN=<davical.eikelenboom.it>
> > CN=<security.eikelenboom.it>
> >
> > So all have been parsed OK.
> >
> >
> >
> > Below the log after applying the patch below:
> >
> > root(at)webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c
> > config.c
> > --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200
> > +++ config.c 2011-04-11 19:20:00.000000000 +0200
> > (at)(at) -795,18 +795,19 (at)(at)
> > return SSL_TLSEXT_ERR_NOACK;
> >
> > /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername
> %s",
> > servername); */
> >
> > SSL_set_SSL_CTX(ssl, NULL);
> > - for(pc = ctx; pc; pc = pc->next)
> > + for(pc = ctx; pc; pc = pc->next){
> > + logmsg(LOG_DEBUG, "try to match pc->server_name %s to
> > server_name %s",pc->server_name,server_name);
> > if(fnmatch(pc->server_name, server_name, 0) == 0) {
> > /* logmsg(LOG_DEBUG, "Found cert for %s", servername);
> */
> > SSL_set_SSL_CTX(ssl, pc->ctx);
> > return SSL_TLSEXT_ERR_OK;
> > }
> > -
> > - /* logmsg(LOG_DEBUG, "No match for %s, default used",
> > server_name); */
> > + }
> > + logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
> > SSL_set_SSL_CTX(ssl, ctx->ctx);
> > return SSL_TLSEXT_ERR_OK;
> > }
> > #endif
> >
> >
> >
> > Here you see the output when iterating through the certificates, only
> > the first and last present.
> >
> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> > backup.eikelenboom.it to server_name davical.eikelenboom.it
> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
> > security.eikelenboom.it to server_name davical.eikelenboom.it
> > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it,
> > default used
> >
> >
> >
> >
> > Probably the parsing code isn't storing the certificates properly in
> > the variable or overwriting them somewhere in:
> >
> > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
> > /* we have support for SNI */
> > FILE *fcert;
> > char server_name[MAXBUF], *cp;
> > X509 *x509;
> >
> > if(has_other)
> > conf_err("Cert directives MUST precede other SSL-
> > specific directives - aborted");
> > if(res->ctx) {
> > for(pc = res->ctx; res->next; res = res->next)
> > ;
> > if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
> > conf_err("ListenHTTPS new POUND_CTX: out of
> memory
> > - aborted");
> > pc = pc->next;
> > } else {
> > if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
> > conf_err("ListenHTTPS new POUND_CTX: out of
> memory
> > - aborted");
> > pc = res->ctx;
> > }
> > if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) ==
> NULL)
> > conf_err("SSL_CTX_new failed - aborted");
> > pc->server_name = NULL;
> > pc->next = NULL;
> > lin[matches[1].rm_eo] = '\0';
> > if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
> > matches[1].rm_so) != 1)
> > conf_err("SSL_CTX_use_certificate_chain_file failed -
> > aborted");
> > if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin +
> > matches[1].rm_so, SSL_FILETYPE_PEM) != 1)
> > conf_err("SSL_CTX_use_PrivateKey_file failed -
> > aborted");
> > if(SSL_CTX_check_private_key(pc->ctx) != 1)
> > conf_err("SSL_CTX_check_private_key failed -
> aborted");
> > if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
> > conf_err("ListenHTTPS: could not open certificate
> > file");
> > if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) ==
> NULL)
> > conf_err("ListenHTTPS: could not get certificate
> > subject");
> > fclose(fcert);
> > memset(server_name, '\0', MAXBUF);
> > X509_NAME_oneline(X509_get_subject_name(x509),
> server_name,
> > MAXBUF - 1);
> > X509_free(x509);
> > if(!regexec(&CNName, server_name, 4, matches, 0)) {
> > server_name[matches[1].rm_eo] = '\0';
> > if((pc->server_name = strdup(server_name +
> > matches[1].rm_so)) == NULL)
> > conf_err("ListenHTTPS: could not set certificate
> > subject");
> > } else
> > conf_err("ListenHTTPS: could not get certificate
> CN");
> > fprintf(stderr, "CN=<%s>\n", pc->server_name);
> > #else
> > /* no SNI support */
> >
> >
> >
> >
> >
> > Monday, April 11, 2011, 4:06:39 PM, you wrote:
> >
> > > This is to announce the release of Pound v2.6d. This is an
> > experimental
> > > version - the fourth (and hopefully the last prior to the stable
> > > release) in the 2.6 series. Changes since version 2.6c:
> >
> > > Enhancements:
> > > - added parsing for the certificate CN
> >
> > > Bug fixes:
> > > - fixed problem in task enqueing
> > > - fixed small problem in Makefile
> >
> > > The software is at version 2.6d (beta quality). Further testing
> > > (especially under heavy loads), improvements and suggestions are
> > > welcome.
> >
> >
> >
> > --
> > Best regards,
> > Sander mailto:linux(at)eikelenboom.it
> >
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to
> > pound(at)apsis.ch.
> > Please contact roseg(at)apsis.ch for questions.
|
|
|
Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Sander Eikelenboom <linux(at)eikelenboom.it> |
2011-04-11 19:55:50 |
[ SNIP ]
|
Hi Joe,
This last one does the trick ! :-)
Thx,
Sander
Monday, April 11, 2011, 7:39:36 PM, you wrote:
> Revised... take 2.
> Change
for(pc = res->>ctx; res->next; res = res->next)
> To:
for(pc = res->>ctx; pc->next; pc = pc->next)
> And retest :)
> Joe
> Joseph Gooch
> Sapphire Suite Product Manager
> K12 Systems, Inc.
> (866) 366-9540
> Confidentiality Notice:
> This e-mail transmission may contain confidential and legally privileged
information that is intended only for the individual named in the e-mail
address. If you are not the intended recipient, you are hereby notified that
any disclosure, copying, distribution, or reliance upon the contents of this
e-mail message is strictly prohibited. If you have received this e-mail
transmission in error, please reply to the sender, so that proper delivery can
be arranged, and please delete the message from your mail box.
>> -----Original Message-----
>> From: Joe Gooch
>> Sent: Monday, April 11, 2011 1:38 PM
>> To: pound(at)apsis.ch; Robert Segall
>> Subject: RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
>> load balancer - v2.6d
>>
>> Change
>> for(pc = res->ctx; res->next; res = res->next)
>>
>> To:
>> for(pc = res->ctx; res->next; pc = res->next)
>>
>> And retest.
>>
>> Joe
>>
>>
>> > -----Original Message-----
>> > From: Sander Eikelenboom [mailto:linux(at)eikelenboom.it]
>> > Sent: Monday, April 11, 2011 1:29 PM
>> > To: Robert Segall
>> > Cc: pound(at)apsis.ch
>> > Subject: Re: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and
>> > load balancer - v2.6d
>> >
>> > Hi Robert,
>> >
>> > The parsing of the CN name is OK now, as i said earlier there still
>> is
>> > a problem only the first and last certificate seems to be matched,
>> > although all are parsed from the config file without error.
>> >
>> > --
>> > Sander
>> >
>> >
>> > When pound starts:
>> > Starting reverse proxy and load balancer: poundstarting...
>> > CN=<backup.eikelenboom.it>
>> > CN=<git.eikelenboom.it>
>> > CN=<davical.eikelenboom.it>
>> > CN=<security.eikelenboom.it>
>> >
>> > So all have been parsed OK.
>> >
>> >
>> >
>> > Below the log after applying the patch below:
>> >
>> > root(at)webproxy:/usr/src/pound-2.6d# diff -U5 ../Pound-2.6d/config.c
>> > config.c
>> > --- ../Pound-2.6d/config.c 2011-04-11 15:59:05.000000000 +0200
>> > +++ config.c 2011-04-11 19:20:00.000000000 +0200
>> > (at)(at) -795,18 +795,19 (at)(at)
>> > return SSL_TLSEXT_ERR_NOACK;
>> >
>> > /* logmsg(LOG_DEBUG, "Received SSL SNI Header for servername
>> %s",
>> > servername); */
>> >
>> > SSL_set_SSL_CTX(ssl, NULL);
>> > - for(pc = ctx; pc; pc = pc->next)
>> > + for(pc = ctx; pc; pc = pc->next){
>> > + logmsg(LOG_DEBUG, "try to match pc->server_name %s to
>> > server_name %s",pc->server_name,server_name);
>> > if(fnmatch(pc->server_name, server_name, 0) == 0) {
>> > /* logmsg(LOG_DEBUG, "Found cert for %s", servername);
>> */
>> > SSL_set_SSL_CTX(ssl, pc->ctx);
>> > return SSL_TLSEXT_ERR_OK;
>> > }
>> > -
>> > - /* logmsg(LOG_DEBUG, "No match for %s, default used",
>> > server_name); */
>> > + }
>> > + logmsg(LOG_DEBUG, "No match for %s, default used", server_name);
>> > SSL_set_SSL_CTX(ssl, ctx->ctx);
>> > return SSL_TLSEXT_ERR_OK;
>> > }
>> > #endif
>> >
>> >
>> >
>> > Here you see the output when iterating through the certificates, only
>> > the first and last present.
>> >
>> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
>> > backup.eikelenboom.it to server_name davical.eikelenboom.it
>> > Apr 11 19:21:46 webproxy pound: try to match pc->server_name
>> > security.eikelenboom.it to server_name davical.eikelenboom.it
>> > Apr 11 19:21:46 webproxy pound: No match for davical.eikelenboom.it,
>> > default used
>> >
>> >
>> >
>> >
>> > Probably the parsing code isn't storing the certificates properly in
>> > the variable or overwriting them somewhere in:
>> >
>> > #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
>> > /* we have support for SNI */
>> > FILE *fcert;
>> > char server_name[MAXBUF], *cp;
>> > X509 *x509;
>> >
>> > if(has_other)
>> > conf_err("Cert directives MUST precede other SSL-
>> > specific directives - aborted");
>> > if(res->ctx) {
>> > for(pc = res->ctx; res->next; res = res->next)
>> > ;
>> > if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
>> > conf_err("ListenHTTPS new POUND_CTX: out of
>> memory
>> > - aborted");
>> > pc = pc->next;
>> > } else {
>> > if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
>> > conf_err("ListenHTTPS new POUND_CTX: out of
>> memory
>> > - aborted");
>> > pc = res->ctx;
>> > }
>> > if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) ==
>> NULL)
>> > conf_err("SSL_CTX_new failed - aborted");
>> > pc->server_name = NULL;
>> > pc->next = NULL;
>> > lin[matches[1].rm_eo] = '\0';
>> > if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
>> > matches[1].rm_so) != 1)
>> > conf_err("SSL_CTX_use_certificate_chain_file failed -
>> > aborted");
>> > if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin +
>> > matches[1].rm_so, SSL_FILETYPE_PEM) != 1)
>> > conf_err("SSL_CTX_use_PrivateKey_file failed -
>> > aborted");
>> > if(SSL_CTX_check_private_key(pc->ctx) != 1)
>> > conf_err("SSL_CTX_check_private_key failed -
>> aborted");
>> > if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
>> > conf_err("ListenHTTPS: could not open certificate
>> > file");
>> > if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) ==
>> NULL)
>> > conf_err("ListenHTTPS: could not get certificate
>> > subject");
>> > fclose(fcert);
>> > memset(server_name, '\0', MAXBUF);
>> > X509_NAME_oneline(X509_get_subject_name(x509),
>> server_name,
>> > MAXBUF - 1);
>> > X509_free(x509);
>> > if(!regexec(&CNName, server_name, 4, matches, 0)) {
>> > server_name[matches[1].rm_eo] = '\0';
>> > if((pc->server_name = strdup(server_name +
>> > matches[1].rm_so)) == NULL)
>> > conf_err("ListenHTTPS: could not set certificate
>> > subject");
>> > } else
>> > conf_err("ListenHTTPS: could not get certificate
>> CN");
>> > fprintf(stderr, "CN=<%s>\n", pc->server_name);
>> > #else
>> > /* no SNI support */
>> >
>> >
>> >
>> >
>> >
>> > Monday, April 11, 2011, 4:06:39 PM, you wrote:
>> >
>> > > This is to announce the release of Pound v2.6d. This is an
>> > experimental
>> > > version - the fourth (and hopefully the last prior to the stable
>> > > release) in the 2.6 series. Changes since version 2.6c:
>> >
>> > > Enhancements:
>> > > - added parsing for the certificate CN
>> >
>> > > Bug fixes:
>> > > - fixed problem in task enqueing
>> > > - fixed small problem in Makefile
>> >
>> > > The software is at version 2.6d (beta quality). Further testing
>> > > (especially under heavy loads), improvements and suggestions are
>> > > welcome.
>> >
>> >
>> >
>> > --
>> > Best regards,
>> > Sander mailto:linux(at)eikelenboom.it
>> >
>> >
>> > --
>> > To unsubscribe send an email with subject unsubscribe to
>> > pound(at)apsis.ch.
>> > Please contact roseg(at)apsis.ch for questions.
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
--
Best regards,
Sander mailto:linux(at)eikelenboom.it
|
|
|
RE: [Pound Mailing List] ANNOUNCE: Pound - reverse proxy and load balancer - v2.6d
Robert Segall <roseg(at)apsis.ch> |
2011-04-12 19:01:07 |
[ SNIP ]
|
On Mon, 2011-04-11 at 17:39 +0000, Joe Gooch wrote:
> Revised... take 2.
> Change
> for(pc = res->ctx; res->next; res = res->next)
>
> To:
> for(pc = res->ctx; pc->next; pc = pc->next)
>
> And retest :)
>
> Joe
Many thanks Joe - correct as usual.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
ANNOUNCE: Pound - reverse proxy and load balancer - v2.6e
Robert Segall <roseg(at)apsis.ch> |
2011-04-25 11:16:44 |
[ SNIP ]
|
This is to announce the release of Pound v2.6e. This is an experimental
version - the fifth (and hopefully the last prior to the stable
release) in the 2.6 series. Changes since version 2.6d:
Bug fixes:
- fixed problem in SNI certificate storage
- changed long to long long for support of requests larger than 2GB
The software is at version 2.6e (beta quality). Further testing
(especially under heavy loads), improvements and suggestions are
welcome.
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
|
|
|
|
