On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote:
> > Well, do your certs have the CNs properly set?
> >
> How do I ensure that ?
> I am not even setting the CNs on the client side, just obtaining the
> cert via openssl
I suggest you look up how to do client cert verification in apache in
general. Just secure a simple directory on your server with it. Once
that works you just put a proxy statement in the Location section for
this directory.
> Besides, it looks like the issue is more with apache / ssl than
> anything else.
> ( Not IPS )
You're right, it' not an IPS issue. Try to get it working in general, if
you still have issues with the IPS part afterwards we can go from there.
Erik
>
> thanks
> - Amol
>
>
>
> > Erik
> >
> >
> > >
> > >
> > >
> > > > Erik
> > > >
> > > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > > So you'd create a httpd.conf like this:
> > > > > > ---
> > > > > > SSLEngine On
> > > > > >
> > > > > > # Cert paths
> > > > > > SSLCertificateFile /path/to/apache2/certs/server.crt
> > > > > > SSLCertificateKeyFile /path/to/apache2/certs/server.key
> > > > > >
> > > > > > # intermediate CA cert
> > > > > > SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem
> > > > > >
> > > > > > # CA certs for client verification (concatenated in one file)
> > > > > > SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
> > > > > >
> > > > > > # CRL (optional)
> > > > > > SSLCARevocationFile /path/to/apache2/certs/crl.pem
> > > > > >
> > > > > > <Location /private>
> > > > > > SSLVerifyClient require
> > > > > > SSLVerifyDepth 1
> > > > > > # example: only certs with subject [email protected] are allowed
> > > > > > SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
> > > > > > ProxyPass http://depot_server:12345 nocanon max=500
> > > > > > </Location>
> > > > > > ---
> > > > > >
> > > > > > Erik
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > > Thanks
> > > > > > > Amol
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > > Brock
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > > However, I would now expect
> > > > > > > > > pkg set-publisher -G '*' -g https://Host:<secure http port>
> > > > > > > > > solaris
> > > > > > > > > to work !
> > > > > > > > > But it errors out saying
> > > > > > > > > Framework error: code: 35 reason: error:140770FC:SSL
> > > > > > > > > routines:SSL23_GET_SERVER_HELLO:unknown protocol
> > > > > > > > >
> > > > > > > > > Wondering if it's the right set of commands ?
> > > > > > > > > Is the approved-ca-cert meant to work with a reverse proxy in
> > > > > > > > > the first place ??
> > > > > > > > > Because looking at the doc, it seems the cert has to be
> > > > > > > > > configured with the actual IPS repo.
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > please suggest
> > > > > > > > >
> > > > > > > > > thx
> > > > > > > > > - Amol
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > > Erik
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56):
> > > > > > > > > > > proxy: HTTP:
> > > > > > > > > > > canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506):
> > > > > > > > > > > [client ] proxy:
> > > > > > > > > > > http: found worker http://oc-4200m2-42:11000/IPS for
> > > > > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993):
> > > > > > > > > > > Running scheme http
> > > > > > > > > > > handler (attempt 0)
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug]
> > > > > > > > > > > mod_proxy_http.c(1966): proxy: HTTP:
> > > > > > > > > > > serving URL http://oc-4200m2-42:11000/IPSversions/0/
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011):
> > > > > > > > > > > proxy: HTTP: has
> > > > > > > > > > > acquired connection for (oc-4200m2-42)
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067):
> > > > > > > > > > > proxy: connecting
> > > > > > > > > > > http://oc-4200m2-42:11000/IPSversions/0/ to
> > > > > > > > > > > oc-4200m2-42:11000
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193):
> > > > > > > > > > > proxy: connected
> > > > > > > > > > > /IPSversions/0/ to oc-4200m2-42:11000
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444):
> > > > > > > > > > > proxy: HTTP: fam
> > > > > > > > > > > 2 socket created to connect to oc-4200m2-42
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576):
> > > > > > > > > > > proxy: HTTP:
> > > > > > > > > > > connection complete to X.X.X.X:11000 (oc-4200m2-42)
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [error] an unknown filter was
> > > > > > > > > > > not added: DEFLATE
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug]
> > > > > > > > > > > mod_proxy_http.c(1736): proxy: start
> > > > > > > > > > > body send
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug]
> > > > > > > > > > > mod_proxy_http.c(1840): proxy: end
> > > > > > > > > > > body send
> > > > > > > > > > > [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029):
> > > > > > > > > > > proxy: HTTP: has
> > > > > > > > > > > released connection for (oc-4200m2-42)
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > _______________________________________________
> > > > > > > > > > > pkg-discuss mailing list
> > > > > > > > > > > [email protected]
> > > > > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > _______________________________________________
> > > > > > > > > pkg-discuss mailing list
> > > > > > > > > [email protected]
> > > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > pkg-discuss mailing list
> > > > > > > > [email protected]
> > > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > _______________________________________________
> > > > > > > pkg-discuss mailing list
> > > > > > > [email protected]
> > > > > > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
> > > > > > >
> > > > > > >
> > > > > > >
> > > >
> > > >
> >
> >
> >
>
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
