Podrška #14371
Zatvoren
pound ssl dev-infra-2.sigma-com.net => git.bring.out.ba
100%
Opis
obezbjediti ssl pristup preko pound proxy-ja
Fajlovi
Povezani tiketi 1 (0 otvoreno — 1 zatvoren)
Izmjenjeno od Ernad Husremović prije oko 18 godina
http://osdir.com/ml/web.pound.general/2006-12/msg00036.html
I'm not exactly sure what I am doing wrong so I will try to detail what I have
done in hopes that someone can give me some guidance.
First I started with a working Pound 2.1.7 install. Https is working and
happy.
Then I tried to add client side certificates, these are my steps:
1. Create a new CA
$ openssl req -new -x509 -days 3650 -keyout private/CAkey.pem -out CAcert.pem
-config openssl.cnf
2. Create a certificate request and an unencrypted private key
$ openssl req -new -keyout key.pem -out req.pem -days 3650 -config openssl.cnf
-nodes
3. Sign the certificate request with the CA’s certificate and private key
$ cat req.pem key.pem > new-req.pem
$ openssl ca -policy policy_match -out out.pem -config openssl.cnf -infiles
new-req.pem
4. Combine the certificate and key into one file
$ cat out.pem key.pem > cert.pem
5. Convert the pem format file to pkcs12 so it can be imported into the
browser
$ openssl pkcs12 -export -in cert.pem -out cert.p12
I then import the cert.p12 file into the web browser with no error and it
shows up under the client certs.
I add the following entries into pound.cfg:
CAlist "/etc/ssl/client_ca/CAcert.pem"
ClientCert 2 9at this point when I try to connect to pound with the web browser( firefox ) a
client cert is requested - cool! But, when I select the imported cert it is
rejected by pound.
If is switch to the pound.cfg to contain ClientCert 3 9 I actually get
connected and the X-SSL-* headers are passed so I know that I am close, the
browser is sending the cert, and only the validation phase is broken.
If anyone has any advice I would really appreciate it.
Thanks,
Craig
Izmjenjeno od Ernad Husremović prije oko 18 godina
root@dev-infra-2:~/admin/pound# openssl req new -keyout key-2.pem -out req-2.pem -days 3650 -nodes
Generating a 1024 bit RSA private key
.........++++++
..++++++
writing new private key to 'key-2.pem'
----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:BA
State or Province Name (full name) [Some-State]:BiH
Locality Name (eg, city) []:Sarajevo
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bring.out.ba
Organizational Unit Name (eg, section) []:web
Common Name (eg, YOUR name) []:hernad
Email Address []:hernad@sigma-com.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@dev-infra-2:~/admin/pound# cat req-2.pem key-2.pem > new-req-2.pem
root@dev-infra-2:~/admin/pound# openssl ca -policy policy_match -days 1500 -out out-2.pem -infiles new-req-2.pem
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 26 (0x1a)
Validity
Not Before: May 27 13:36:34 2008 GMT
Not After : Jul 5 13:36:34 2012 GMT
Subject:
countryName = BA
stateOrProvinceName = BiH
organizationName = bring.out.ba
organizationalUnitName = web
commonName = hernad
emailAddress = hernad@sigma-com.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C7:0B:8C:F4:6F:19:DE:B5:E7:22:65:07:BE:79:91:F7:76:DF:A6:FB
X509v3 Authority Key Identifier:
keyid:82:F7:21:43:7C:CB:94:F1:EA:FB:CF:C6:A9:CA:B0:9F:F5:2C:8A:1B
Certificate is to be certified until Jul 5 13:36:34 2012 GMT (1500 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Izmjenjeno od Ernad Husremović prije oko 18 godina
root@dev-infra-2:~/admin/pound# cat out-2.pem key-2.pem > cert-2.pem
root@dev-infra-2:~/admin/pound# openssl pkcs12 -export -in cert-2.pem -out cert-2.p12
Enter Export Password: Verifying - Enter Export Password:
Izmjenjeno od Ernad Husremović prije oko 18 godina
prema self signed certificate podesio sam server.key (private key), server.crt (certifikat), i client.crt (klijentski certifikat)
pa sam client.crt konvertovao u client.p12
Izmjenjeno od Ernad Husremović prije oko 18 godina
na dev-infra-2 /etc/pound/pound.cfg dodao sam
za sav http saobraćaj
ListenHTTPS
Address 0.0.0.0
Port 443
Cert "/etc/pound/web_key_crt.pem"
ClientCert 2 9
CAlist "/etc/pound/server.crt"
VerifyList "/etc/pound/server.crt"
HeadRemove "X-SSL-.*"
Service
BackEnd
Address git.bring.out.ba
Port 80
End
Session
Type BASIC
TTL 300
End
End
End
Izmjenjeno od Ernad Husremović prije oko 18 godina
sa cat server.crt server.key > /etc/pound/web_key_crt.pem dobio
-----BEGIN CERTIFICATE----- MIIC6jCCApSgAwIBAgIJAJVDRV0pYQjcMA0GCSqGSIb3DQEBBQUAMIGCMQswCQYD ... <<<<<<<<<< server.crt >>>>>>>>>>>>>>>>>>>> ChMMYnJpbmcub3V0LmJhMQwwCgYDVQQLEwN3ZWIxDDAKBgNVBAMTA3dlYjEfMB0G KoZIhvcNAQEFBQADQQBxF78NwrAr5Tqrle37jYdqQ0TR+8yPmknfi4iIuzExJ49V 4ZEpNC4XZQFoFavwVm8L6yQq0dv4u3BB+VoBq1Ed -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIBOgIBAAJBAM9HIS7lfnRbh... ... <<<<<<<<<<<server.key>>>>>>>>>>>> ... gyxh+3I90KeKgtAwB01twfNOV... -----END RSA PRIVATE KEY-----
Izmjenjeno od Ernad Husremović prije oko 18 godina
- Status promijenjeno iz Novo u Zatvoreno
- % završeno promijenjeno iz 0 u 100
na klijent browser instalirao client.p12 privatni ključ, bez koga nije moguć pristup gitweb stranicama sa internet-a https://git.sigma-com.net
i da naravno - na router-wan-sa-1 podesio git.sigma-com.net koji pokazuje na dev-infra-2
Izmjenjeno od Ernad Husremović prije oko 18 godina
- Fajl client_server.tar.gpg client_server.tar.gpg dodano
- Odgovorna osoba postavljeno na Ernad Husremović
Izmjenjeno od Ernad Husremović prije oko 18 godina
gpg lozinka = router-wan-sa pwd
Izmjenjeno od Ernad Husremović prije oko 18 godina
bitno je napomenuti da je klijentski crtifikat tek proradio kada sam dodao
CAlist "/etc/pound/server.crt" <<< lista
VerifyList "/etc/pound/server.crt"
evo šta piše u pund man-u
CAlist "CAcert_file"
Set the list of "trusted" CA’s for this server. The CAcert_file
is a file containing a sequence of CA certificates (PEM format).
The names of the defined CA certificates will be sent to the
client on connection.
VerifyList "Verify_file"
Set the CA (Certificate Authority). The Verify_file is a file
that contains the CA root certificates (in PEM format).
Please note: there is an important difference between the CAlist
and the VerifyList. The CAlist tells the client (browser) which
client certificates it should send. The VerifyList defines which
CAs are actually used for the verification of the returned cer‐
tificate.
bez ove dvije linije pak radi ssl (bez client certifikat autorizacije)
Izmjenjeno od Ernad Husremović prije oko 18 godina
- Fajl client.p12.gpg client.p12.gpg dodano
hernad@nmraka-1:~/admin/pound$ gpg -c client.p12
Izmjenjeno od Ernad Husremović prije oko 18 godina
- Naslov promijenjeno iz pound ssl u pound ssl dev-infra-2.sigma-com.net => git.bring.out.ba