On 07/27/11 13:00, Erik Trauschke wrote:
On Wed, 2011-07-27 at 10:32 -0700, Amol Chiplunkar wrote:
On 7/27/2011 10:16 AM, Erik Trauschke wrote:
On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote:
Well, do your certs have the CNs properly set?
How do I ensure that ?
I am not even setting the CNs on the client side, just obtaining the
cert via openssl
I suggest you look up how to do client cert verification in apache in
general.
oh wait..
So when pkg runs, is it trying to just verify the server ( by validating
it's cert )
or is it trying to request the webserver to authenticate it as a client ?
My understanding is it's the former ( just trying to validate the cert )
Both is happening. The client is verifying the servers cert against it's
stored CA certs. The server is verifying the cert the client presents to
it to verify if the user is allowed to have access to this location.
I see.
I don't know what you are trying to achieve but if you just want to have
SSL-protected pkg transfers you don't need client verification.
That's exactly what I am trying to do.
Basically I am trying to use (the reverse proxy) Apache's secure ssl
port to route the pkg downloads.
If I use the http port, it works now. But doesn't work when I use the https.
Do you mean I either need to use approve-ca-cert or -c <cert-file> ?
Or
Somehow disable the client cert check ( either on the pkg side or on the
apache ) ?
thanks
- Amol
This is
just required if you want to limit access to users with the right cert.
Erik
thanks
- Amol
Just secure a simple directory on your server with it. Once
that works you just put a proxy statement in the Location section for
this directory.
Besides, it looks like the issue is more with apache / ssl than
anything else.
( Not IPS )
You're right, it' not an IPS issue. Try to get it working in general, if
you still have issues with the IPS part afterwards we can go from there.
Erik
thanks
- Amol
Erik
Erik
So you'd create a httpd.conf like this:
---
SSLEngine On
# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key
# intermediate CA cert
SSLCertificateChainFile /path/to/apache2/certs/ca_intermediate.pem
# CA certs for client verification (concatenated in one file)
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem
<Location /private>
SSLVerifyClient require
SSLVerifyDepth 1
# example: only certs with subject [email protected] are allowed
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---
Erik
Thanks
Amol
Brock
However, I would now expect
pkg set-publisher -G '*' -g https://Host:<secure http port> solaris
to work !
But it errors out saying
Framework error: code: 35 reason: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol
Wondering if it's the right set of commands ?
Is the approved-ca-cert meant to work with a reverse proxy in the first place ??
Because looking at the doc, it seems the cert has to be configured with the
actual IPS repo.
please suggest
thx
- Amol
Erik
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): proxy: HTTP:
canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): [client ] proxy:
http: found worker http://oc-4200m2-42:11000/IPS for
http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): Running scheme http
handler (attempt 0)
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1966): proxy: HTTP:
serving URL http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): proxy: HTTP: has
acquired connection for (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): proxy: connecting
http://oc-4200m2-42:11000/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): proxy: connected
/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): proxy: HTTP: fam
2 socket created to connect to oc-4200m2-42
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): proxy: HTTP:
connection complete to X.X.X.X:11000 (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [error] an unknown filter was not added: DEFLATE
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1736): proxy: start
body send
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(1840): proxy: end
body send
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): proxy: HTTP: has
released connection for (oc-4200m2-42)
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
