On 10/3/2011 3:11 AM, Wayne Smith wrote:[...]

It's just configure / make / make install.  More details on the pound 
website under 'INSTALLATION':

http://www.apsis.ch/pound/

Regards,[...]

Thanks for this.

At the configure stage, I'm getting an error

Missing OpenSSL (-lcrypto) - aborted

I've built and installed OpenSSL 1.0.0e.

Any suggestions?

Regards
Wayne 


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 15:22
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

On 10/3/2011 3:11 AM, Wayne Smith wrote:[...]

It's just configure / make / make install.  More details on the pound 
website under 'INSTALLATION':

http://www.apsis.ch/pound/

Regards,[...]

On 10/3/2011 11:02 AM, Wayne Smith wrote:[...]

Have you tried the --with-ssl=/path/to/ssl/dir option?

Regards,[...]

If you've built and installed OpenSSL you just need to send the configure
statement the path OpenSSL was installed to. 


./configure -help says: 
" --with-ssl=directory location of OpenSSL package" 



Mike 

----- Original Message ----- 
From: "Wayne Smith" <Wayne.Smith(at)artscouncil.org.uk> 
To: pound(at)apsis.ch 
Sent: Monday, October 3, 2011 11:02:50 AM 
Subject: RE: [Pound Mailing List] Install v2.6 

Thanks for this. 

At the configure stage, I'm getting an error 

Missing OpenSSL (-lcrypto) - aborted 

I've built and installed OpenSSL 1.0.0e. 

Any suggestions? 

Regards 
Wayne 


-----Original Message----- 
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 15:22 
To: pound(at)apsis.ch 
Subject: Re: [Pound Mailing List] Install v2.6 

On 10/3/2011 3:11 AM, Wayne Smith wrote: [...]

It's just configure / make / make install. More details on the pound 
website under 'INSTALLATION': 

http://www.apsis.ch/pound/ 

Regards, [...]

Dave \ Mike,

Yes I've tried the --with-ssl= option

Like so

./configure --with-ssl=/usr/local/ssl

I built and installed openssl as below

cd /usr/local/src
wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz
tar -xzvf openssl-1.0.0e.tar.gz 
cd openssl-1.0.0e
./config
make
make install
alias cp=cp
cp /usr/local/ssl/bin/openssl /usr/bin/openssl
cd /usr/local/ssl/include
ln -s /usr/local/ssl/include/openssl openssl

Really appreciate your help.

Regards
Wayne 


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 16:13
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

On 10/3/2011 11:02 AM, Wayne Smith wrote:[...]

Have you tried the --with-ssl=/path/to/ssl/dir option?

Regards,[...]

Just a guess that maybe configure is finding /usr/bin/openssl that you've
copied 
and assuming /usr/lib/openssl for libraries instead of /usr/local/lib/openssl.
I have not looked at configure file in depth. 

Mike 

----- Original Message ----- 
From: "Wayne Smith" <Wayne.Smith(at)artscouncil.org.uk> 
To: pound(at)apsis.ch 
Sent: Monday, October 3, 2011 12:05:22 PM 
Subject: RE: [Pound Mailing List] Install v2.6 

Dave \ Mike, 

Yes I've tried the --with-ssl= option 

Like so 

./configure --with-ssl=/usr/local/ssl 

I built and installed openssl as below 

cd /usr/local/src 
wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz

tar -xzvf openssl-1.0.0e.tar.gz 
cd openssl-1.0.0e 
./config 
make 
make install 
alias cp=cp 
cp /usr/local/ssl/bin/openssl /usr/bin/openssl 
cd /usr/local/ssl/include 
ln -s /usr/local/ssl/include/openssl openssl 

Really appreciate your help. 

Regards 
Wayne 


-----Original Message----- 
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 16:13 
To: pound(at)apsis.ch 
Subject: Re: [Pound Mailing List] Install v2.6 

On 10/3/2011 11:02 AM, Wayne Smith wrote: [...]

Have you tried the --with-ssl=/path/to/ssl/dir option? 

Regards, [...]

Wayne,

I have exactly the same problem on our CentOS boxes.  I brought up this 
issue couple of months ago, but seems to have been ignored.  The problem 
is with line#3235 in configure:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -Wno-unused-result -pipe"

Change it to:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -pipe"

Albert



On 10/3/2011 12:05 PM, Wayne Smith wrote:[...][...][...]

Solved my issues by installing on CentOS 6 instead of 5.5. Centos 6 has
packages available that make it pretty painless.

Quick guide to building \ installing Pound 2.6f on CentOS 6 - might be useful
for someone

Install openssl

yum install openssl openssl-devel

Add EPEL repository - which has Pound 2.5 package


                    rpm -Uvh http://bit.ly/q7kHBq

Install Pound

                yum install Pound

Get and build Pound 2.6f

cd /tmp
wget http://www.apsis.ch/pound/Pound-2.4f.tgz
tar zxvf Pound-2.4f.tgz
cd Pound-2.4f
make clean
./configure
make
make install



Regards
Wayne

From: Albert [mailto:pound(at)alacra.com]
Sent: 03 October 2011 19:23
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

Wayne,

I have exactly the same problem on our CentOS boxes.  I brought up this issue
couple of months ago, but seems to have been ignored.  The problem is with
line#3235 in configure:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -Wno-unused-result -pipe"

Change it to:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -pipe"

Albert



On 10/3/2011 12:05 PM, Wayne Smith wrote:

Dave \ Mike,



Yes I've tried the --with-ssl= option



Like so



./configure --with-ssl=/usr/local/ssl



I built and installed openssl as below



cd /usr/local/src

wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz

tar -xzvf openssl-1.0.0e.tar.gz

cd openssl-1.0.0e

./config

make

make install

alias cp=cp

cp /usr/local/ssl/bin/openssl /usr/bin/openssl

cd /usr/local/ssl/include

ln -s /usr/local/ssl/include/openssl openssl



Really appreciate your help.



Regards

Wayne





-----Original Message-----

From: Dave Steinberg [mailto:dave(at)redterror.net]

Sent: 03 October 2011 16:13

To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>

Subject: Re: [Pound Mailing List] Install v2.6



On 10/3/2011 11:02 AM, Wayne Smith wrote:

Thanks for this.



At the configure stage, I'm getting an error



Missing OpenSSL (-lcrypto) - aborted



I've built and installed OpenSSL 1.0.0e.



Have you tried the --with-ssl=/path/to/ssl/dir option?



Regards,

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

Hi Tiago,

We use pound, and also use WebSockets (Socket.IO / NodeJS).

It would be a great feature for pound to support the WebSocket
upgrade, as we could then do away with a lot of port forwarding,
subdomains, etc.

At the moment our backend servers send their own identity as part of a
page, so that Socket.IO can connect directly back to that particular
backend server (via port-forwarding and multiple address aliases on
the load balanacers).

Regards,

Chris.

On 20 October 2011 01:47, tiago ramos <tiagolramos(at)gmail.com>
wrote:[...]

On 10/20/2011 07:29 AM, Wayne Smith wrote:[...]

Hi,

What kind of "warning" do you get in your browser (expired certificate?
self-signed? etc).  I've used a similar setup recently without any problems.
[...]

Jorge,

domain1.org.uk.pem is a valid trial certificate, with intermediate and root
certs included.
domain2.org.uk.pem is self signed

When I use

Cert    "/etc/pki/tls/certs/domain1.org.uk.pem"
# Cert    "/etc/pki/tls/certs/domain2.org.uk.pem"

https://domain1.org.uk goes through with
no warnings.

https://domain2.org.uk says the
certificate is for domain1 

When I use 

Cert    "/etc/pki/tls/certs/domain1.org.uk.pem"
Cert    "/etc/pki/tls/certs/domain2.org.uk.pem"

https://domain1.org.uk warning says the
certificate is not trusted as it is self signed i.e. it's ignoring the
certificate domain1.org.uk.pem

https://domain1.org.uk warning says the
certificate is not trusted as it is self signed - but this is okay - I'm happy
with a self signed cert for this domain

Thanks
Wayne


http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

On 10/20/2011 07:57 AM, Wayne Smith wrote:[...]

I see.  Could it be that perhaps you're not using a proper openssl
library with SNI support?  In order to use more than one SSL cert (with
one ip) you need to make sure of two things:

- you have openssl with SNI support
- you're running pound 2.6.x

I'm, of course, assuming you're using one ip and that your mentioned
configuration resides inside one "ListenHTTPS/End" block.

Regards,
Jorge

Yes, I have a single external IP that I proxy multiple domains through to their
respective servers, and my https listener config is below.

OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports SNI
Pound is 2.6f 

Regards
Wayne

ListenHTTPS
    Address 192.168.7.1
    Port    443
    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"
#    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"

    Service
        Headrequire "(Host: manage.domain2.org.uk)"
        BackEnd
            Address 192.168.7.2
            Port    80
        End
    End

    Service
        HeadRequire "(Host: www.domain1.org.uk)"
        BackEnd
            Address 192.168.7.3
            Port    80
        End
    End
End

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

Pound is definitely only using the last certificate. If I do this


ListenHTTPS
    Address 192.168.7.1
    Port    443
    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"


https://www.domain1.org.uk works

and


https://manage.domain2.org.uk gives

The certificate is only valid for the following names:
  *.domain1.org.uk , domain1.org.uk  

Apparently ignoring the manage.domain2.org.uk.pem certificate, which is self
signed and is for manage.domain2.org.uk

Regards
Wayne 

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

On 10/20/2011 08:42 AM, Wayne Smith wrote:[...]

Then it's really weird.  I don't see anything wrong with your config.
The thing is I have a similar setup that I've built recently and it
works perfectly fine.  I'm running it on RHEL6 (with the stock openssl).

I'm new to pound & to this list (just got here 2 weeks ago) so I'm out
of ideas :(  I know pound has some verbose capabilities but I don't
think it will help as it's not giving you an error while launching it.

Let's see if anyone else can throw any light on this.

Regards,
Jorge

What are the subject lines of all your certs?

Joe
[...]

Joe,

Not sure exactly what you are referring to. If it's the first line of the
certificate, then they're both

-----BEGIN CERTIFICATE-----

Regards
Wayne

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: 20 October 2011 19:05
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Multiple SSL

What are the subject lines of all your certs?

Joe
[...]

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

openssl x509 -noout -in file.pem -subject

Joe

[...]

On 10/20/2011 02:28 PM, Wayne Smith wrote:[...]

Joe is referring to the actual content of the certificates which you can
see with:

openssl x509 -in yourCert.crt -text

There you'll see a "Subject" line.
[...]

Joe,

Thanks. Output as follows

subject= /C=GB/ST=Lancashire/L=Manchester/O=Arts Council of
England/OU=IT/OU=Terms of use at www.verisign.co.uk/cps/testca
(c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
Network/CN=manage.aceservices.org.uk

subject= /C=GB/ST=London/L=London/O=Arts Council of
England/OU=IT/CN=*.takeitaway.org.uk

Thanks to Jorge for sending command too.

Regards
Wayne

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

Hello Wayne,
Wayne Smith <Wayne.Smith(at)artscouncil.org.uk> (Thu Oct 20 15:39:08
2011):[...]

If all the mentioned preconditions are met (SNI support, single external
IP, recent OpenSSL libraries), you may try to put your certs into a
*single* file.

It's just wild guesswork, and I do not experience with setups like
yours, but in the case of missing of other ideas ;-). 
[...]

I don't think that would work.... If I remember correctly, pound tracks each
cert in a linked list and uses globbing to determine which to use... but it
does that by "Cert" line, not by certificates within a file.

Joe

[...]

So, going back to your file we have

    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"

Which I would assume corresponds to:
??? (pound.pem)
manage.aceservices.org.uk
*.takeitaway.org.uk


What's the subject of the pound.pem cert?

What version of pound are you running?

Thanks!

Joe
[...]

>Which I would assume corresponds to:[...]

Yes
[...]

Was in there from the default config. I later removed it, as it's not in use.
Didn't make any difference.
[...]

2.6f

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.[...]

Interesting.

First, if your pound binary or openssl library doesn't support SNI, pound won't
let you configure it.  (It'll say multiple certificates not supported when you
load the config)  So as far as pound is concerned, your certs are both being
honored.

I assume your email from 10/5 where you compiled pound references 2.6f instead
of 2.4f...

Could you please recompile pound?  Please replace your config.c with http://goochfriend.org/config.c and
recompile.  Run that binary with your config.  It should enable extra debugging
messages (at DEBUG log level) which will help you see how pound is making the
comparisons/choices.

And then paste those logs here for further help!

Joe

[...]

On 10/20/2011 09:39 AM, Wayne Smith wrote:[...]

Wayne:  I can confirm that this is actually happening.  Before this
afternoon, I thought I had it working because pound was sending me the
proper certificates based on the host-header.  It worked for me on IE &
Firefox but then, on other machines, I started getting the wrong
certificates (turns out it was the "last certificate" on the config).
These other machines were recent ones (Windows 7 and latest browsers).

The strange thing is that if I go to the DigiCert website (where you
check your SSL certificate), when I validate both of my sites they
appear valid (with their proper certificates presented).  The only place
I could replicate the problem 100% of the time was here:

www.sslshopper.com/ssl-checker.html

...where it would detect the mismatch between requested site and common
name on certificate.

Were you able to recompile using the config.c provided by Joe?

--
Jorge

On 10/24/2011 05:47 PM, Jorge Fábregas wrote:[...]

I'm going to correct myself.  At this point I'm not sure if there's
something wrong with pound or the clients connecting to it.  I'm leaning
towards the latter.

The thing is, I checked the SNI Wikipedia page for OS & browser support
and thought I wouldn't have any problems in October of 2011 (based on
the OS & browser of my users).  It turns out I had a lot of problems
that I couldn't pinpoint to a specific browser or OS (as they were
supposedly SNI-ready).

I also had users behind forward proxies that might not be sending the
SNI bits properly.

And then, the SSL validator sites:

http://www.digicert.com/help/

On this one,  100% of the time that I performed a test it worked perfectly:

On the other hand, this site:

http://www.sslshopper.com/ssl-checker.html

...fails 100% of the time for one of my two sites.  I believe now that
it simply doesn't send the SNI header on its requests.

Finally, I fired up my Windows XP VM (where I know it won't work as SNI
is not supported) in order to see the behavior I get.  And indeed, it's
the same behavior I get when it doesn't work for my users (I'll get the
last certificate of my config, ignoring the other one).

Conclusion:  It appears SNI is not widely supported.  I'll be reverting
back to pound stable (without SNI support) and I'll deal with the
situation with another ip :(

Regards,
Jorge

It's likely the client, yes.

See https://sni.velox.ch/

It should give you an idea of what your client is doing.


If you only configure one certificate per listener, SNI isn't an issue... So if
you have other 2.6 features you're using, no reason to backrev.

Joe

[...]

On 10/24/2011 09:12 PM, Joe Gooch wrote:[...]

Hey thanks Joe! This site is superb!  It really helps to know whether
the client is actually sending the SNI extension or not!

Thanks!
Jorge

Wish I could take credit, but it was provided by Will Tatam back when we
implemented SNI. (3/1/2010 in the list archives)

Joe

[...]

On 10/24/2011 09:12 PM, Joe Gooch wrote:[...]

As I was to give up on my SNI adventure a coworker decided to further
investigate why some users on Windows 7 couldn't connect with IE 8 & 9.
 He found the culprit:   the option for  "TLS 1.0" on their browsers was
disabled.  As soon it was enabled it worked right way.

I checked with a plain vanilla Windows 7 (and the stock IE) and it was
enabled by default.  It appears that some apps you install might disable
it (antivirus etc).  I never had problems with Chrome and Firefox and,
since this is a controlled environment (regional offices), I can easily
pass away the instructions to enable TLS 1.0 on IE:

IE9 --> Internet options --> Advanced tab ---> Security Section -->
Use
TLS 1.0

...so I"m happy back again using SNI with pound (BTW thank you Joe for
adding this to pound!).

On the other hand, for the public internet sites where I don't know the
users, that will be tough as there are going to be an infinite amount of
users without SNI support or with support but improperly configured.

If I could just tell pound to "Redirect" all requests that come without
the SNI extension...  That way I could redirect them to a help page.   I
know the SNI extension works at the TLS level (not HTTP) but I'm
wondering if, by any chance, there's any HTTP header that will indicate
whether  SNI is being used or not?

Regards,
Jorge