On 10/3/2011 3:11 AM, Wayne Smith wrote:
> Hi,
>
> I’ve only ever installed pound from binaries, and I’m not sure how to
> build and install from source. Can anyone point me in the direction of
> some instructions?

It's just configure / make / make install.  More details on the pound 
website under 'INSTALLATION':

http://www.apsis.ch/pound/

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/

Thanks for this.

At the configure stage, I'm getting an error

Missing OpenSSL (-lcrypto) - aborted

I've built and installed OpenSSL 1.0.0e.

Any suggestions?

Regards
Wayne 


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 15:22
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

On 10/3/2011 3:11 AM, Wayne Smith wrote:
> Hi,
>
> I've only ever installed pound from binaries, and I'm not sure how to
> build and install from source. Can anyone point me in the direction of
> some instructions?

It's just configure / make / make install.  More details on the pound 
website under 'INSTALLATION':

http://www.apsis.ch/pound/

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

On 10/3/2011 11:02 AM, Wayne Smith wrote:
> Thanks for this.
>
> At the configure stage, I'm getting an error
>
> Missing OpenSSL (-lcrypto) - aborted
>
> I've built and installed OpenSSL 1.0.0e.

Have you tried the --with-ssl=/path/to/ssl/dir option?

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/

If you've built and installed OpenSSL you just need to send the configure
statement the path OpenSSL was installed to. 


./configure -help says: 
" --with-ssl=directory location of OpenSSL package" 



Mike 

----- Original Message ----- 
From: "Wayne Smith" <Wayne.Smith(at)artscouncil.org.uk> 
To: pound(at)apsis.ch 
Sent: Monday, October 3, 2011 11:02:50 AM 
Subject: RE: [Pound Mailing List] Install v2.6 

Thanks for this. 

At the configure stage, I'm getting an error 

Missing OpenSSL (-lcrypto) - aborted 

I've built and installed OpenSSL 1.0.0e. 

Any suggestions? 

Regards 
Wayne 


-----Original Message----- 
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 15:22 
To: pound(at)apsis.ch 
Subject: Re: [Pound Mailing List] Install v2.6 

On 10/3/2011 3:11 AM, Wayne Smith wrote: 
> Hi, 
> 
> I've only ever installed pound from binaries, and I'm not sure how to 
> build and install from source. Can anyone point me in the direction of 
> some instructions? 

It's just configure / make / make install. More details on the pound 
website under 'INSTALLATION': 

http://www.apsis.ch/pound/ 

Regards, 
-- 
Dave Steinberg 
http://www.geekisp.com/ 
http://www.steinbergcomputing.com/ 
http://www.redterror.net/ 

-- 
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch. 
Please contact roseg(at)apsis.ch for questions. 

http://www.artscouncil.org.uk 

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733 

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited. 

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000. 

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail. 
_ 
_____________________________________________________________________ 
This email has been scanned by the MessageLabs Email Security System. 
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________ 

-- 
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch. 
Please contact roseg(at)apsis.ch for questions. 


-- 
Mike Kralec 
Director of Data Systems Development 
Sinclair Broadcast Group 
(410) 568-1692 

Dave \ Mike,

Yes I've tried the --with-ssl= option

Like so

./configure --with-ssl=/usr/local/ssl

I built and installed openssl as below

cd /usr/local/src
wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz
tar -xzvf openssl-1.0.0e.tar.gz 
cd openssl-1.0.0e
./config
make
make install
alias cp=cp
cp /usr/local/ssl/bin/openssl /usr/bin/openssl
cd /usr/local/ssl/include
ln -s /usr/local/ssl/include/openssl openssl

Really appreciate your help.

Regards
Wayne 


-----Original Message-----
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 16:13
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

On 10/3/2011 11:02 AM, Wayne Smith wrote:
> Thanks for this.
>
> At the configure stage, I'm getting an error
>
> Missing OpenSSL (-lcrypto) - aborted
>
> I've built and installed OpenSSL 1.0.0e.

Have you tried the --with-ssl=/path/to/ssl/dir option?

Regards,
-- 
Dave Steinberg
http://www.geekisp.com/
http://www.steinbergcomputing.com/
http://www.redterror.net/

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Just a guess that maybe configure is finding /usr/bin/openssl that you've
copied 
and assuming /usr/lib/openssl for libraries instead of /usr/local/lib/openssl.
I have not looked at configure file in depth. 

Mike 

----- Original Message ----- 
From: "Wayne Smith" <Wayne.Smith(at)artscouncil.org.uk> 
To: pound(at)apsis.ch 
Sent: Monday, October 3, 2011 12:05:22 PM 
Subject: RE: [Pound Mailing List] Install v2.6 

Dave \ Mike, 

Yes I've tried the --with-ssl= option 

Like so 

./configure --with-ssl=/usr/local/ssl 

I built and installed openssl as below 

cd /usr/local/src 
wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz 
tar -xzvf openssl-1.0.0e.tar.gz 
cd openssl-1.0.0e 
./config 
make 
make install 
alias cp=cp 
cp /usr/local/ssl/bin/openssl /usr/bin/openssl 
cd /usr/local/ssl/include 
ln -s /usr/local/ssl/include/openssl openssl 

Really appreciate your help. 

Regards 
Wayne 


-----Original Message----- 
From: Dave Steinberg [mailto:dave(at)redterror.net] 
Sent: 03 October 2011 16:13 
To: pound(at)apsis.ch 
Subject: Re: [Pound Mailing List] Install v2.6 

On 10/3/2011 11:02 AM, Wayne Smith wrote: 
> Thanks for this. 
> 
> At the configure stage, I'm getting an error 
> 
> Missing OpenSSL (-lcrypto) - aborted 
> 
> I've built and installed OpenSSL 1.0.0e. 

Have you tried the --with-ssl=/path/to/ssl/dir option? 

Regards, 
-- 
Dave Steinberg 
http://www.geekisp.com/ 
http://www.steinbergcomputing.com/ 
http://www.redterror.net/ 

-- 
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch. 
Please contact roseg(at)apsis.ch for questions. 

http://www.artscouncil.org.uk 

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733 

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited. 

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000. 

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail. 
_ 
_____________________________________________________________________ 
This email has been scanned by the MessageLabs Email Security System. 
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________ 

-- 
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch. 
Please contact roseg(at)apsis.ch for questions. 


-- 
Mike Kralec 
Director of Data Systems Development 
Sinclair Broadcast Group 
(410) 568-1692 

Wayne,

I have exactly the same problem on our CentOS boxes.  I brought up this 
issue couple of months ago, but seems to have been ignored.  The problem 
is with line#3235 in configure:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -Wno-unused-result -pipe"

Change it to:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -pipe"

Albert



On 10/3/2011 12:05 PM, Wayne Smith wrote:
> Dave \ Mike,
>
> Yes I've tried the --with-ssl= option
>
> Like so
>
> ./configure --with-ssl=/usr/local/ssl
>
> I built and installed openssl as below
>
> cd /usr/local/src
> wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz
> tar -xzvf openssl-1.0.0e.tar.gz
> cd openssl-1.0.0e
> ./config
> make
> make install
> alias cp=cp
> cp /usr/local/ssl/bin/openssl /usr/bin/openssl
> cd /usr/local/ssl/include
> ln -s /usr/local/ssl/include/openssl openssl
>
> Really appreciate your help.
>
> Regards
> Wayne
>
>
> -----Original Message-----
> From: Dave Steinberg [mailto:dave(at)redterror.net]
> Sent: 03 October 2011 16:13
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Install v2.6
>
> On 10/3/2011 11:02 AM, Wayne Smith wrote:
>> Thanks for this.
>>
>> At the configure stage, I'm getting an error
>>
>> Missing OpenSSL (-lcrypto) - aborted
>>
>> I've built and installed OpenSSL 1.0.0e.
> Have you tried the --with-ssl=/path/to/ssl/dir option?
>
> Regards,

Solved my issues by installing on CentOS 6 instead of 5.5. Centos 6 has
packages available that make it pretty painless.

Quick guide to building \ installing Pound 2.6f on CentOS 6 - might be useful
for someone

Install openssl

yum install openssl openssl-devel

Add EPEL repository - which has Pound 2.5 package


                    rpm -Uvh http://bit.ly/q7kHBq

Install Pound

                yum install Pound

Get and build Pound 2.6f

cd /tmp
wget http://www.apsis.ch/pound/Pound-2.4f.tgz
tar zxvf Pound-2.4f.tgz
cd Pound-2.4f
make clean
./configure
make
make install



Regards
Wayne

From: Albert [mailto:pound(at)alacra.com]
Sent: 03 October 2011 19:23
To: pound(at)apsis.ch
Subject: Re: [Pound Mailing List] Install v2.6

Wayne,

I have exactly the same problem on our CentOS boxes.  I brought up this issue
couple of months ago, but seems to have been ignored.  The problem is with
line#3235 in configure:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -Wno-unused-result -pipe"

Change it to:

CPPFLAGS="${CPPFLAGS} -Wstrict-prototypes -pipe"

Albert



On 10/3/2011 12:05 PM, Wayne Smith wrote:

Dave \ Mike,



Yes I've tried the --with-ssl= option



Like so



./configure --with-ssl=/usr/local/ssl



I built and installed openssl as below



cd /usr/local/src

wget -N http://www.openssl.org/source/openssl-1.0.0c.tar.gz

tar -xzvf openssl-1.0.0e.tar.gz

cd openssl-1.0.0e

./config

make

make install

alias cp=cp

cp /usr/local/ssl/bin/openssl /usr/bin/openssl

cd /usr/local/ssl/include

ln -s /usr/local/ssl/include/openssl openssl



Really appreciate your help.



Regards

Wayne





-----Original Message-----

From: Dave Steinberg [mailto:dave(at)redterror.net]

Sent: 03 October 2011 16:13

To: pound(at)apsis.ch<mailto:pound(at)apsis.ch>

Subject: Re: [Pound Mailing List] Install v2.6



On 10/3/2011 11:02 AM, Wayne Smith wrote:

Thanks for this.



At the configure stage, I'm getting an error



Missing OpenSSL (-lcrypto) - aborted



I've built and installed OpenSSL 1.0.0e.



Have you tried the --with-ssl=/path/to/ssl/dir option?



Regards,

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Hi Tiago,

We use pound, and also use WebSockets (Socket.IO / NodeJS).

It would be a great feature for pound to support the WebSocket
upgrade, as we could then do away with a lot of port forwarding,
subdomains, etc.

At the moment our backend servers send their own identity as part of a
page, so that Socket.IO can connect directly back to that particular
backend server (via port-forwarding and multiple address aliases on
the load balanacers).

Regards,

Chris.

On 20 October 2011 01:47, tiago ramos <tiagolramos(at)gmail.com> wrote:
> Hi,
>
> I'm are using websockets, nodejs to be more precise. Due to scalability
> pound looks like the perfect solution for me.I'm able to start a websocket
> communication but the gets downgrade to xhr-polling and that is working
> great.
> What could be the problem, has anyone solved it? From what i have read
> it could have something to do with a 8 byte and a missing
> content-Length header.
>
> --
> To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
>

On 10/20/2011 07:29 AM, Wayne Smith wrote:
> When I have more than one certificate listed in the config file, it seems to
only use the last one.

Hi,

What kind of "warning" do you get in your browser (expired certificate?
self-signed? etc).  I've used a similar setup recently without any problems.

-- 
Jorge

Jorge,

domain1.org.uk.pem is a valid trial certificate, with intermediate and root
certs included.
domain2.org.uk.pem is self signed

When I use

Cert    "/etc/pki/tls/certs/domain1.org.uk.pem"
# Cert    "/etc/pki/tls/certs/domain2.org.uk.pem"

https://domain1.org.uk goes through with no warnings.

https://domain2.org.uk says the certificate is for domain1 

When I use 

Cert    "/etc/pki/tls/certs/domain1.org.uk.pem"
Cert    "/etc/pki/tls/certs/domain2.org.uk.pem"

https://domain1.org.uk warning says the certificate is not trusted as it is
self signed i.e. it's ignoring the certificate domain1.org.uk.pem

https://domain1.org.uk warning says the certificate is not trusted as it is
self signed - but this is okay - I'm happy with a self signed cert for this
domain

Thanks
Wayne


http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

On 10/20/2011 07:57 AM, Wayne Smith wrote:
> domain1.org.uk.pem is a valid trial certificate, with intermediate and root
certs included.
> domain2.org.uk.pem is self signed

I see.  Could it be that perhaps you're not using a proper openssl
library with SNI support?  In order to use more than one SSL cert (with
one ip) you need to make sure of two things:

- you have openssl with SNI support
- you're running pound 2.6.x

I'm, of course, assuming you're using one ip and that your mentioned
configuration resides inside one "ListenHTTPS/End" block.

Regards,
Jorge

Yes, I have a single external IP that I proxy multiple domains through to their
respective servers, and my https listener config is below.

OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports SNI
Pound is 2.6f 

Regards
Wayne

ListenHTTPS
    Address 192.168.7.1
    Port    443
    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"
#    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"

    Service
        Headrequire "(Host: manage.domain2.org.uk)"
        BackEnd
            Address 192.168.7.2
            Port    80
        End
    End

    Service
        HeadRequire "(Host: www.domain1.org.uk)"
        BackEnd
            Address 192.168.7.3
            Port    80
        End
    End
End

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Pound is definitely only using the last certificate. If I do this


ListenHTTPS
    Address 192.168.7.1
    Port    443
    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"


https://www.domain1.org.uk works

and


https://manage.domain2.org.uk gives

The certificate is only valid for the following names:
  *.domain1.org.uk , domain1.org.uk  

Apparently ignoring the manage.domain2.org.uk.pem certificate, which is self
signed and is for manage.domain2.org.uk

Regards
Wayne 

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

On 10/20/2011 08:42 AM, Wayne Smith wrote:
> Yes, I have a single external IP that I proxy multiple domains through to
their respective servers, and my https listener config is below.
> 
> OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports SNI
> Pound is 2.6f 

Then it's really weird.  I don't see anything wrong with your config.
The thing is I have a similar setup that I've built recently and it
works perfectly fine.  I'm running it on RHEL6 (with the stock openssl).

I'm new to pound & to this list (just got here 2 weeks ago) so I'm out
of ideas :(  I know pound has some verbose capabilities but I don't
think it will help as it's not giving you an error while launching it.

Let's see if anyone else can throw any light on this.

Regards,
Jorge

What are the subject lines of all your certs?

Joe

> -----Original Message-----
> From: Jorge Fábregas [mailto:jorge.fabregas(at)gmail.com]
> Sent: Thursday, October 20, 2011 1:53 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Multiple SSL
> 
> On 10/20/2011 08:42 AM, Wayne Smith wrote:
> > Yes, I have a single external IP that I proxy multiple domains
> through to their respective servers, and my https listener config is
> below.
> >
> > OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports SNI
> > Pound is 2.6f
> 
> Then it's really weird.  I don't see anything wrong with your config.
> The thing is I have a similar setup that I've built recently and it
> works perfectly fine.  I'm running it on RHEL6 (with the stock
> openssl).
> 
> I'm new to pound & to this list (just got here 2 weeks ago) so I'm out
> of ideas :(  I know pound has some verbose capabilities but I don't
> think it will help as it's not giving you an error while launching it.
> 
> Let's see if anyone else can throw any light on this.
> 
> Regards,
> Jorge
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

Joe,

Not sure exactly what you are referring to. If it's the first line of the
certificate, then they're both

-----BEGIN CERTIFICATE-----

Regards
Wayne

-----Original Message-----
From: Joe Gooch [mailto:mrwizard(at)k12system.com] 
Sent: 20 October 2011 19:05
To: pound(at)apsis.ch
Subject: RE: [Pound Mailing List] Multiple SSL

What are the subject lines of all your certs?

Joe

> -----Original Message-----
> From: Jorge Fábregas [mailto:jorge.fabregas(at)gmail.com]
> Sent: Thursday, October 20, 2011 1:53 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Multiple SSL
> 
> On 10/20/2011 08:42 AM, Wayne Smith wrote:
> > Yes, I have a single external IP that I proxy multiple domains
> through to their respective servers, and my https listener config is
> below.
> >
> > OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports SNI
> > Pound is 2.6f
> 
> Then it's really weird.  I don't see anything wrong with your config.
> The thing is I have a similar setup that I've built recently and it
> works perfectly fine.  I'm running it on RHEL6 (with the stock
> openssl).
> 
> I'm new to pound & to this list (just got here 2 weeks ago) so I'm out
> of ideas :(  I know pound has some verbose capabilities but I don't
> think it will help as it's not giving you an error while launching it.
> 
> Let's see if anyone else can throw any light on this.
> 
> Regards,
> Jorge
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

--
To unsubscribe send an email with subject unsubscribe to pound(at)apsis.ch.
Please contact roseg(at)apsis.ch for questions.

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

openssl x509 -noout -in file.pem -subject

Joe


> -----Original Message-----
> From: Wayne Smith [mailto:Wayne.Smith(at)artscouncil.org.uk]
> Sent: Thursday, October 20, 2011 2:29 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Multiple SSL
> 
> Joe,
> 
> Not sure exactly what you are referring to. If it's the first line of
> the certificate, then they're both
> 
> -----BEGIN CERTIFICATE-----
> 
> Regards
> Wayne
> 
> -----Original Message-----
> From: Joe Gooch [mailto:mrwizard(at)k12system.com]
> Sent: 20 October 2011 19:05
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Multiple SSL
> 
> What are the subject lines of all your certs?
> 
> Joe
> 
> > -----Original Message-----
> > From: Jorge Fábregas [mailto:jorge.fabregas(at)gmail.com]
> > Sent: Thursday, October 20, 2011 1:53 PM
> > To: pound(at)apsis.ch
> > Subject: Re: [Pound Mailing List] Multiple SSL
> >
> > On 10/20/2011 08:42 AM, Wayne Smith wrote:
> > > Yes, I have a single external IP that I proxy multiple domains
> > through to their respective servers, and my https listener config is
> > below.
> > >
> > > OpenSSL package is 1.0.0-4.el6_0.1(i686) which I believe supports
> SNI
> > > Pound is 2.6f
> >
> > Then it's really weird.  I don't see anything wrong with your config.
> > The thing is I have a similar setup that I've built recently and it
> > works perfectly fine.  I'm running it on RHEL6 (with the stock
> > openssl).
> >
> > I'm new to pound & to this list (just got here 2 weeks ago) so I'm
> out
> > of ideas :(  I know pound has some verbose capabilities but I don't
> > think it will help as it's not giving you an error while launching
> it.
> >
> > Let's see if anyone else can throw any light on this.
> >
> > Regards,
> > Jorge
> >
> > --
> > To unsubscribe send an email with subject unsubscribe to
> > pound(at)apsis.ch.
> > Please contact roseg(at)apsis.ch for questions.
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.
> 
> http://www.artscouncil.org.uk
> 
> Arts Council England is the trading name of the Arts Council of England
> registered charity no. 1036733
> 
> The information in this e-mail is for the named recipient(s) only. If
> you are not the intended recipient, be advised that you have received
> this email in error and that any use, dissemination, forwarding,
> printing, or copying of this email is strictly prohibited.
> 
> The contents of this message will not be in any way binding upon Arts
> Council England. Opinions, conclusions, contractual obligations and
> other information in this message, in so far as they relate to the
> official business of Arts Council England must be specifically
> confirmed in writing.
> 
> Additionally, the information contained in this email may be subject to
> public disclosure under the Freedom of Information Act 2000.
> 
> Arts Council England does not accept liability for any virus, spyware
> or malware introduced by this e-mail.
> _
> _____________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

On 10/20/2011 02:28 PM, Wayne Smith wrote:
> Not sure exactly what you are referring to

Joe is referring to the actual content of the certificates which you can
see with:

openssl x509 -in yourCert.crt -text

There you'll see a "Subject" line.

-- 
Jorge

Joe,

Thanks. Output as follows

subject= /C=GB/ST=Lancashire/L=Manchester/O=Arts Council of
England/OU=IT/OU=Terms of use at www.verisign.co.uk/cps/testca
(c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
Network/CN=manage.aceservices.org.uk

subject= /C=GB/ST=London/L=London/O=Arts Council of
England/OU=IT/CN=*.takeitaway.org.uk

Thanks to Jorge for sending command too.

Regards
Wayne

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Hello Wayne,
Wayne Smith <Wayne.Smith(at)artscouncil.org.uk> (Thu Oct 20 15:39:08 2011):
> Pound is definitely only using the last certificate. If I do this
> 
> 
> ListenHTTPS
>     Address 192.168.7.1
>     Port    443
>     Cert    "/etc/pki/tls/certs/pound.pem"
>     Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
>     Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"

If all the mentioned preconditions are met (SNI support, single external
IP, recent OpenSSL libraries), you may try to put your certs into a
*single* file.

It's just wild guesswork, and I do not experience with setups like
yours, but in the case of missing of other ideas ;-). 

-- 
Heiko :: dresden : linux : SCHLITTERMANN.de
GPG Key 48D0359B : 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

I don't think that would work.... If I remember correctly, pound tracks each
cert in a linked list and uses globbing to determine which to use... but it
does that by "Cert" line, not by certificates within a file.

Joe


> -----Original Message-----
> From: Heiko Schlittermann [mailto:hs(at)schlittermann.de]
> Sent: Thursday, October 20, 2011 3:32 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Multiple SSL
> 
> Hello Wayne,
> Wayne Smith <Wayne.Smith(at)artscouncil.org.uk> (Thu Oct 20 15:39:08
> 2011):
> > Pound is definitely only using the last certificate. If I do this
> >
> >
> > ListenHTTPS
> >     Address 192.168.7.1
> >     Port    443
> >     Cert    "/etc/pki/tls/certs/pound.pem"
> >     Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
> >     Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"
> 
> If all the mentioned preconditions are met (SNI support, single
> external IP, recent OpenSSL libraries), you may try to put your certs
> into a
> *single* file.
> 
> It's just wild guesswork, and I do not experience with setups like
> yours, but in the case of missing of other ideas ;-).
> 
> --
> Heiko :: dresden : linux : SCHLITTERMANN.de GPG Key 48D0359B : 3061
> CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B

So, going back to your file we have

    Cert    "/etc/pki/tls/certs/pound.pem"
    Cert    "/etc/pki/tls/certs/manage.domain2.org.uk.pem"
    Cert    "/etc/pki/tls/certs/wild.domain1.org.uk.pem"

Which I would assume corresponds to:
??? (pound.pem)
manage.aceservices.org.uk
*.takeitaway.org.uk


What's the subject of the pound.pem cert?

What version of pound are you running?

Thanks!

Joe

> -----Original Message-----
> From: Wayne Smith [mailto:Wayne.Smith(at)artscouncil.org.uk]
> Sent: Thursday, October 20, 2011 3:23 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Multiple SSL
> 
> Joe,
> 
> Thanks. Output as follows
> 
> subject= /C=GB/ST=Lancashire/L=Manchester/O=Arts Council of
> England/OU=IT/OU=Terms of use at www.verisign.co.uk/cps/testca
> (c)05/OU=Authenticated by VeriSign/OU=Member, VeriSign Trust
> Network/CN=manage.aceservices.org.uk
> 
> subject= /C=GB/ST=London/L=London/O=Arts Council of
> England/OU=IT/CN=*.takeitaway.org.uk
> 
> Thanks to Jorge for sending command too.
> 
> Regards
> Wayne
> 
> http://www.artscouncil.org.uk
> 
> Arts Council England is the trading name of the Arts Council of England
> registered charity no. 1036733
> 
> The information in this e-mail is for the named recipient(s) only. If
> you are not the intended recipient, be advised that you have received
> this email in error and that any use, dissemination, forwarding,
> printing, or copying of this email is strictly prohibited.
> 
> The contents of this message will not be in any way binding upon Arts
> Council England. Opinions, conclusions, contractual obligations and
> other information in this message, in so far as they relate to the
> official business of Arts Council England must be specifically
> confirmed in writing.
> 
> Additionally, the information contained in this email may be subject to
> public disclosure under the Freedom of Information Act 2000.
> 
> Arts Council England does not accept liability for any virus, spyware
> or malware introduced by this e-mail.
> _
> _____________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

>Which I would assume corresponds to:
>??? (pound.pem)
>manage.aceservices.org.uk
>*.takeitaway.org.uk

Yes

>What's the subject of the pound.pem cert?

Was in there from the default config. I later removed it, as it's not in use.
Didn't make any difference.

>What version of pound are you running?

2.6f

http://www.artscouncil.org.uk

Arts Council England is the trading name of the Arts Council of England
registered charity no. 1036733

The information in this e-mail is for the named recipient(s) only. If you are
not the intended recipient, be advised that you have received this email in
error and that any use, dissemination, forwarding, printing, or copying of this
email is strictly prohibited.

The contents of this message will not be in any way binding upon Arts Council
England. Opinions, conclusions, contractual obligations and other information
in this message, in so far as they relate to the official business of Arts
Council England must be specifically confirmed in writing. 

Additionally, the information contained in this email may be subject to public
disclosure under the Freedom of Information Act 2000.

Arts Council England does not accept liability for any virus, spyware or
malware introduced by this e-mail.
_
_____________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

Interesting.

First, if your pound binary or openssl library doesn't support SNI, pound won't
let you configure it.  (It'll say multiple certificates not supported when you
load the config)  So as far as pound is concerned, your certs are both being
honored.

I assume your email from 10/5 where you compiled pound references 2.6f instead
of 2.4f...

Could you please recompile pound?  Please replace your config.c with
http://goochfriend.org/config.c and recompile.  Run that binary with your
config.  It should enable extra debugging messages (at DEBUG log level) which
will help you see how pound is making the comparisons/choices.

And then paste those logs here for further help!

Joe


> -----Original Message-----
> From: Wayne Smith [mailto:Wayne.Smith(at)artscouncil.org.uk]
> Sent: Thursday, October 20, 2011 6:16 PM
> To: pound(at)apsis.ch
> Subject: RE: [Pound Mailing List] Multiple SSL
> 
> >Which I would assume corresponds to:
> >??? (pound.pem)
> >manage.aceservices.org.uk
> >*.takeitaway.org.uk
> 
> Yes
> 
> >What's the subject of the pound.pem cert?
> 
> Was in there from the default config. I later removed it, as it's not
> in use. Didn't make any difference.
> 
> >What version of pound are you running?
> 
> 2.6f
> 
> http://www.artscouncil.org.uk
> 
> Arts Council England is the trading name of the Arts Council of England
> registered charity no. 1036733
> 
> The information in this e-mail is for the named recipient(s) only. If
> you are not the intended recipient, be advised that you have received
> this email in error and that any use, dissemination, forwarding,
> printing, or copying of this email is strictly prohibited.
> 
> The contents of this message will not be in any way binding upon Arts
> Council England. Opinions, conclusions, contractual obligations and
> other information in this message, in so far as they relate to the
> official business of Arts Council England must be specifically
> confirmed in writing.
> 
> Additionally, the information contained in this email may be subject to
> public disclosure under the Freedom of Information Act 2000.
> 
> Arts Council England does not accept liability for any virus, spyware
> or malware introduced by this e-mail.
> _
> _____________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> ______________________________________________________________________
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

On 10/20/2011 09:39 AM, Wayne Smith wrote:
> Pound is definitely only using the last certificate

Wayne:  I can confirm that this is actually happening.  Before this
afternoon, I thought I had it working because pound was sending me the
proper certificates based on the host-header.  It worked for me on IE &
Firefox but then, on other machines, I started getting the wrong
certificates (turns out it was the "last certificate" on the config).
These other machines were recent ones (Windows 7 and latest browsers).

The strange thing is that if I go to the DigiCert website (where you
check your SSL certificate), when I validate both of my sites they
appear valid (with their proper certificates presented).  The only place
I could replicate the problem 100% of the time was here:

www.sslshopper.com/ssl-checker.html

...where it would detect the mismatch between requested site and common
name on certificate.

Were you able to recompile using the config.c provided by Joe?

--
Jorge

On 10/24/2011 05:47 PM, Jorge Fábregas wrote:
>  It worked for me on IE & Firefox but then, on other machines, 
> I started getting the wrong certificates (turns out it was the 
> "last certificate" on the config).

I'm going to correct myself.  At this point I'm not sure if there's
something wrong with pound or the clients connecting to it.  I'm leaning
towards the latter.

The thing is, I checked the SNI Wikipedia page for OS & browser support
and thought I wouldn't have any problems in October of 2011 (based on
the OS & browser of my users).  It turns out I had a lot of problems
that I couldn't pinpoint to a specific browser or OS (as they were
supposedly SNI-ready).

I also had users behind forward proxies that might not be sending the
SNI bits properly.

And then, the SSL validator sites:

http://www.digicert.com/help/

On this one,  100% of the time that I performed a test it worked perfectly:

On the other hand, this site:

http://www.sslshopper.com/ssl-checker.html

...fails 100% of the time for one of my two sites.  I believe now that
it simply doesn't send the SNI header on its requests.

Finally, I fired up my Windows XP VM (where I know it won't work as SNI
is not supported) in order to see the behavior I get.  And indeed, it's
the same behavior I get when it doesn't work for my users (I'll get the
last certificate of my config, ignoring the other one).

Conclusion:  It appears SNI is not widely supported.  I'll be reverting
back to pound stable (without SNI support) and I'll deal with the
situation with another ip :(

Regards,
Jorge

It's likely the client, yes.

See https://sni.velox.ch/

It should give you an idea of what your client is doing.


If you only configure one certificate per listener, SNI isn't an issue... So if
you have other 2.6 features you're using, no reason to backrev.

Joe


> -----Original Message-----
> From: Jorge Fábregas [mailto:jorge.fabregas(at)gmail.com]
> Sent: Monday, October 24, 2011 8:50 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Multiple SSL
> 
> On 10/24/2011 05:47 PM, Jorge Fábregas wrote:
> >  It worked for me on IE & Firefox but then, on other machines,
> > I started getting the wrong certificates (turns out it was the
> > "last certificate" on the config).
> 
> I'm going to correct myself.  At this point I'm not sure if there's
> something wrong with pound or the clients connecting to it.  I'm
> leaning
> towards the latter.
> 
> The thing is, I checked the SNI Wikipedia page for OS & browser support
> and thought I wouldn't have any problems in October of 2011 (based on
> the OS & browser of my users).  It turns out I had a lot of problems
> that I couldn't pinpoint to a specific browser or OS (as they were
> supposedly SNI-ready).
> 
> I also had users behind forward proxies that might not be sending the
> SNI bits properly.
> 
> And then, the SSL validator sites:
> 
> http://www.digicert.com/help/
> 
> On this one,  100% of the time that I performed a test it worked
> perfectly:
> 
> On the other hand, this site:
> 
> http://www.sslshopper.com/ssl-checker.html
> 
> ...fails 100% of the time for one of my two sites.  I believe now that
> it simply doesn't send the SNI header on its requests.
> 
> Finally, I fired up my Windows XP VM (where I know it won't work as SNI
> is not supported) in order to see the behavior I get.  And indeed, it's
> the same behavior I get when it doesn't work for my users (I'll get the
> last certificate of my config, ignoring the other one).
> 
> Conclusion:  It appears SNI is not widely supported.  I'll be reverting
> back to pound stable (without SNI support) and I'll deal with the
> situation with another ip :(
> 
> Regards,
> Jorge
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

On 10/24/2011 09:12 PM, Joe Gooch wrote:
> See https://sni.velox.ch/
> 
> It should give you an idea of what your client is doing.

Hey thanks Joe! This site is superb!  It really helps to know whether
the client is actually sending the SNI extension or not!

Thanks!
Jorge

Wish I could take credit, but it was provided by Will Tatam back when we
implemented SNI. (3/1/2010 in the list archives)

Joe


> -----Original Message-----
> From: Jorge Fábregas [mailto:jorge.fabregas(at)gmail.com]
> Sent: Monday, October 24, 2011 9:50 PM
> To: pound(at)apsis.ch
> Subject: Re: [Pound Mailing List] Multiple SSL
> 
> On 10/24/2011 09:12 PM, Joe Gooch wrote:
> > See https://sni.velox.ch/
> >
> > It should give you an idea of what your client is doing.
> 
> Hey thanks Joe! This site is superb!  It really helps to know whether
> the client is actually sending the SNI extension or not!
> 
> Thanks!
> Jorge
> 
> --
> To unsubscribe send an email with subject unsubscribe to
> pound(at)apsis.ch.
> Please contact roseg(at)apsis.ch for questions.

On 10/24/2011 09:12 PM, Joe Gooch wrote:
> If you only configure one certificate per listener, SNI isn't an
>  issue... So if you have other 2.6 features you're using, no reason
>  to backrev.

As I was to give up on my SNI adventure a coworker decided to further
investigate why some users on Windows 7 couldn't connect with IE 8 & 9.
 He found the culprit:   the option for  "TLS 1.0" on their browsers was
disabled.  As soon it was enabled it worked right way.

I checked with a plain vanilla Windows 7 (and the stock IE) and it was
enabled by default.  It appears that some apps you install might disable
it (antivirus etc).  I never had problems with Chrome and Firefox and,
since this is a controlled environment (regional offices), I can easily
pass away the instructions to enable TLS 1.0 on IE:

IE9 --> Internet options --> Advanced tab ---> Security Section --> Use
TLS 1.0

...so I"m happy back again using SNI with pound (BTW thank you Joe for
adding this to pound!).

On the other hand, for the public internet sites where I don't know the
users, that will be tough as there are going to be an infinite amount of
users without SNI support or with support but improperly configured.

If I could just tell pound to "Redirect" all requests that come without
the SNI extension...  That way I could redirect them to a help page.   I
know the SNI extension works at the TLS level (not HTTP) but I'm
wondering if, by any chance, there's any HTTP header that will indicate
whether  SNI is being used or not?

Regards,
Jorge