Your message dated Thu, 05 Nov 2020 01:53:23 +0000
with message-id <e1kausp-0000aa...@fasolo.debian.org>
and subject line Bug#861089: fixed in pound 3.0-1
has caused the Debian Bug report #861089,
regarding Improve Handling of certificates for Pound [PATCH]
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
861089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=861089
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: pound
Version: 2.7-1.3
Hi everyone,
This patch allows Pound to present ECDHA certificates to clients that
can use them while still presenting RSA certificates to older clients.
Robert de Bath <robert$@debath.co.uk>
Index: pound-2.7/config.c
===================================================================
This patch alters the way the "Cert" loads certificates and keys.
If the Common Name on the certificate is distinct from those on other
ones the operation is unchanged. However, if the Common Name on this
certificate matches one used on a previous certificate this one will
be loaded into the same SSL context as the previous one. The result is
that if you load two (or three) certificates will different signature
algorithms all the OpenSSL ciphers that require any of the loaded
algorithms will be available to communicate with the client.
This allows ECDHA certificates to be presented to clients that can use
them while still presenting RSA certificates to older clients.
--- pound-2.7.orig/config.c 2017-04-22 18:42:23.412469733 +0100
+++ pound-2.7/config.c 2017-04-22 18:43:16.020025597 +0100
@@ -1041,50 +1041,72 @@ parse_HTTPS(void)
#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
/* we have support for SNI */
FILE *fcert;
- char server_name[MAXBUF], *cp;
+ char server_name[MAXBUF], *cp, *server_cname;
X509 *x509;
+ regmatch_t CN_matches[2];
+ int extra_cert = 0;
if(has_other)
conf_err("Cert directives MUST precede other SSL-specific
directives - aborted");
+
+ lin[matches[1].rm_eo] = '\0';
+ if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
+ conf_err("ListenHTTPS: could not open certificate file");
+ if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
+ conf_err("ListenHTTPS: could not get certificate subject");
+ fclose(fcert);
+ memset(server_name, '\0', MAXBUF);
+ X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
+
+ if(!regexec(&CNName, server_name, 2, CN_matches, 0)) {
+ server_name[CN_matches[1].rm_eo] = '\0';
+ if((server_cname = strdup(server_name + CN_matches[1].rm_so))
== NULL)
+ conf_err("ListenHTTPS: could not set certificate
subject");
+ } else
+ conf_err("ListenHTTPS: could not get certificate CN");
+
if(res->ctx) {
for(pc = res->ctx; pc->next; pc = pc->next)
- ;
- if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
- conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
- pc = pc->next;
+ if (strcmp(pc->server_name, server_cname) == 0) {
+ extra_cert = 1;
+ break;
+ }
+ if (!extra_cert && strcmp(pc->server_name, server_cname) == 0)
+ extra_cert = 1;
+
+ if (!extra_cert ) {
+ if((pc->next = malloc(sizeof(POUND_CTX))) == NULL)
+ conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
+ pc = pc->next;
+ }
} else {
if((res->ctx = malloc(sizeof(POUND_CTX))) == NULL)
conf_err("ListenHTTPS new POUND_CTX: out of memory -
aborted");
pc = res->ctx;
}
- if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
- conf_err("SSL_CTX_new failed - aborted");
- pc->server_name = NULL;
- pc->next = NULL;
- lin[matches[1].rm_eo] = '\0';
+
+ if (!extra_cert) {
+ if((pc->ctx = SSL_CTX_new(SSLv23_server_method())) == NULL)
+ conf_err("SSL_CTX_new failed - aborted");
+ pc->server_name = NULL;
+ pc->next = NULL;
+ }
+
if(SSL_CTX_use_certificate_chain_file(pc->ctx, lin +
matches[1].rm_so) != 1)
conf_err("SSL_CTX_use_certificate_chain_file failed -
aborted");
if(SSL_CTX_use_PrivateKey_file(pc->ctx, lin + matches[1].rm_so,
SSL_FILETYPE_PEM) != 1)
conf_err("SSL_CTX_use_PrivateKey_file failed - aborted");
if(SSL_CTX_check_private_key(pc->ctx) != 1)
conf_err("SSL_CTX_check_private_key failed - aborted");
- if((fcert = fopen(lin + matches[1].rm_so, "r")) == NULL)
- conf_err("ListenHTTPS: could not open certificate file");
- if((x509 = PEM_read_X509(fcert, NULL, NULL, NULL)) == NULL)
- conf_err("ListenHTTPS: could not get certificate subject");
- fclose(fcert);
- memset(server_name, '\0', MAXBUF);
- X509_NAME_oneline(X509_get_subject_name(x509), server_name, MAXBUF
- 1);
- pc->subjectAltNameCount = 0;
- pc->subjectAltNames = NULL;
- pc->subjectAltNames = get_subjectaltnames(x509,
&(pc->subjectAltNameCount));
+
+ if (!extra_cert) {
+ pc->server_name = server_cname;
+ pc->subjectAltNameCount = 0;
+ pc->subjectAltNames = NULL;
+ pc->subjectAltNames = get_subjectaltnames(x509,
&(pc->subjectAltNameCount));
+ } else
+ free(server_cname;
X509_free(x509);
- if(!regexec(&CNName, server_name, 4, matches, 0)) {
- server_name[matches[1].rm_eo] = '\0';
- if((pc->server_name = strdup(server_name + matches[1].rm_so))
== NULL)
- conf_err("ListenHTTPS: could not set certificate
subject");
- } else
- conf_err("ListenHTTPS: could not get certificate CN");
#else
/* no SNI support */
if(has_other)
--
Rob. (Robert de Bath <robert$ @ debath.co.uk>)
<http://www.debath.co.uk/>
--- End Message ---
--- Begin Message ---
Source: pound
Source-Version: 3.0-1
Done: Carsten Leonhardt <l...@debian.org>
We believe that the bug you reported is fixed in the latest version of
pound, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 861...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Carsten Leonhardt <l...@debian.org> (supplier of updated pound package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 05 Nov 2020 01:45:01 +0100
Source: pound
Architecture: source
Version: 3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Carsten Leonhardt <l...@debian.org>
Changed-By: Carsten Leonhardt <l...@debian.org>
Closes: 456667 490192 733820 861089
Changes:
pound (3.0-1) unstable; urgency=medium
.
[ Carsten Leonhardt ]
* New upstream version
As pound 3.0 was rewritten from scratch, also most Ubuntu bug reports
no longer apply (LP: #1189764, LP: #1398007, LP: #1639888)
* Upstream is out of beta, upload to unstable
* Add debian/NEWS to inform about new configuration format and file name
.
[ Debian Janitor ]
* debian/copyright: use spaces rather than tabs to start continuation lines.
* Remove obsolete fields Contact, Name from debian/upstream/metadata (already
present in machine-readable debian/copyright).
* Fix day-of-week for changelog entries 2.5-1.1, 2.4.3-1, 2.4.2-1, 2.4-2.
.
pound (3.0~e-1) experimental; urgency=medium
.
* Remove session timeout from default configuration, upstream fixed the
bug this was a workaround for.
* Add IPv6 listener to default configuration.
.
pound (3.0~d-2) experimental; urgency=medium
.
* Add a session timeout to default configuration to work around a bug in
the upstream code
* Change listening port to 8008 in default configuration, which
hopefully is less used
.
pound (3.0~d-1) experimental; urgency=medium
.
* New experimental upstream version.
Pound was completely rewritten, most bug reports no longer apply
(Closes: #861089, #490192, #733820, #456667).
* Update debian/watch file.
* Adapt much of the packaging to the new version.
* Complies with standards version 4.5.0
* Raise debhelper compat level to 13
* Run as user "_pound"
Checksums-Sha1:
2c77cd9d9c0fc5624a802051ef58a474393cce04 2220 pound_3.0-1.dsc
a6e6d88a119d85378d1a679027ab7a765badac06 75905 pound_3.0.orig.tar.gz
f9e33e2e41d6bacc3474c24437bdf0ed58121bdf 195 pound_3.0.orig.tar.gz.asc
fa829aec659dc3004a58e34963e98827c8974bfb 9564 pound_3.0-1.debian.tar.xz
Checksums-Sha256:
510c92c9cbb34252e5f860f057aab03b4908381bff40dcbb8bdd299d558445eb 2220
pound_3.0-1.dsc
81459cd3f8ea4af7e25ea908f70669c7655ec71eb22e827cc14d69f4ce7b46c3 75905
pound_3.0.orig.tar.gz
22db499a1e1011b2c0e36b7eec6927a260dc913524805aca3f8b108844c59676 195
pound_3.0.orig.tar.gz.asc
01d69453a7f75875a06fc3780902803948a231a21842529264898149c5ae996c 9564
pound_3.0-1.debian.tar.xz
Files:
bc12c832481a95909f2b69657dbd6ab8 2220 net optional pound_3.0-1.dsc
cf030a44539658dc85af7156f3a9de10 75905 net optional pound_3.0.orig.tar.gz
7b24f7bd33df8c51f5253b99c8f030cc 195 net optional pound_3.0.orig.tar.gz.asc
759fb58f0c68b781501904683730cfc4 9564 net optional pound_3.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJDBAEBCgAtFiEETxO/995XSygF6EUmKrIctfbulV4FAl+jVi0PHGxlb0BkZWJp
YW4ub3JnAAoJECqyHLX27pVeGDAP/0FghQZQu/w0fSadpLdk982Ojf5Wd/NgO1Ga
I0Dd0OA+ejLNxaMqvKQsgqUo6jLYYSLRAGFiIfqRvGp/4dDGOXUI1gl7oVe/aiRB
hu3gWWo2FAhzcVf05EM1yL//TZVwCD7WQOvbeeeplMu6EPnvoRVJmD15z8lD1G1s
vUVdS6mZdkXj7jl3GAYIL0kglaEDgDwqN1sXz+XQkS1JfbUDlEweNGI7DAQiLYCn
4P9k855h9SCzrY2WoQOoOoQR3SQaqGsONrga7On60ixJA8zAMKAY2MxI8obkoJsW
Hfn1PavQz1hs7/Pmw73Tu6RA715WEnt6mUZnKMHfUxh9ul3VT1ij+VPycJqS47u1
lEZnWf+7/CinIiUXSFj2XnN22AHrBWQ6HvSKRbDHCzv5tDGNTSCQXMwNHAWaCItb
TpXKnrB70qB3LwA2MdmHY8kJLwWyfiHdcvZaT81r152UBFGH8RGjN3sYTx/Mm+pU
dDyPjL2YpoeNSJ4xMQyByOmTYP5fkgjcV0thy47Yd0Vj7+gG2ILWlh27fSg6MLPP
SXJXfr4f8pbPUtbGPvzQk7fQ//L1/4RmGaurqfuB9FGZoQlYfDfR3qdCDkdSJl3u
pAqD2a+MuM3ZugL7IIlf3R+hdX05vLqcT/iuIbpLm+NPOEDOPC/n5SqMQgBdrIPi
lH/bNemw
=DdOS
-----END PGP SIGNATURE-----
--- End Message ---
