Revisiting this again...
It's working perfectly fine when the host name is part of the pkg
set-publisher URL argument
However, if the web server is accessible only with the ip address or via
FQDN, the SSL handshake
fails. I presume it won't also work for localhost, and any host aliases.
I tried providing "*.hostname" or "hostname.*" as common name, but it
did not work.
I don't think URL redirection is possible before the SSL handshake.
Is there a way to disable the Common Name check when pkg set-publisher
connects to an https
port, and when the certificate is already present in the trust store ?
thanks
- Amol
On 7/27/2011 4:02 PM, Amol Chiplunkar wrote:
On 07/27/11 13:00, Erik Trauschke wrote:
On Wed, 2011-07-27 at 10:32 -0700, Amol Chiplunkar wrote:
On 7/27/2011 10:16 AM, Erik Trauschke wrote:
On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote:
Well, do your certs have the CNs properly set?
Well that was it.
I changed the cert generation process to correctly pick up a CN and
it's working now !!
Thanks a lot !
- Amol
How do I ensure that ?
I am not even setting the CNs on the client side, just obtaining the
cert via openssl
I suggest you look up how to do client cert verification in apache in
general.
oh wait..
So when pkg runs, is it trying to just verify the server ( by
validating it's cert )
or is it trying to request the webserver to authenticate it as a
client ?
My understanding is it's the former ( just trying to validate the
cert )
Both is happening. The client is verifying the servers cert against it's
stored CA certs. The server is verifying the cert the client presents to
it to verify if the user is allowed to have access to this location.
I don't know what you are trying to achieve but if you just want to have
SSL-protected pkg transfers you don't need client verification. This is
just required if you want to limit access to users with the right cert.
Erik
thanks
- Amol
Just secure a simple directory on your server with it. Once
that works you just put a proxy statement in the Location section for
this directory.
Besides, it looks like the issue is more with apache / ssl than
anything else.
( Not IPS )
You're right, it' not an IPS issue. Try to get it working in
general, if
you still have issues with the IPS part afterwards we can go from
there.
Erik
thanks
- Amol
Erik
Erik
So you'd create a httpd.conf like this:
---
SSLEngine On
# Cert paths
SSLCertificateFile /path/to/apache2/certs/server.crt
SSLCertificateKeyFile /path/to/apache2/certs/server.key
# intermediate CA cert
SSLCertificateChainFile
/path/to/apache2/certs/ca_intermediate.pem
# CA certs for client verification (concatenated in one file)
SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem
# CRL (optional)
SSLCARevocationFile /path/to/apache2/certs/crl.pem
<Location /private>
SSLVerifyClient require
SSLVerifyDepth 1
# example: only certs with subject [email protected] are allowed
SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ )
ProxyPass http://depot_server:12345 nocanon max=500
</Location>
---
Erik
Thanks
Amol
Brock
However, I would now expect
pkg set-publisher -G '*' -g https://Host:<secure http
port> solaris
to work !
But it errors out saying
Framework error: code: 35 reason: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol
Wondering if it's the right set of commands ?
Is the approved-ca-cert meant to work with a reverse proxy
in the first place ??
Because looking at the doc, it seems the cert has to be
configured with the actual IPS repo.
please suggest
thx
- Amol
Erik
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56):
proxy: HTTP:
canonicalising URL //oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506):
[client ] proxy:
http: found worker http://oc-4200m2-42:11000/IPS for
http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993):
Running scheme http
handler (attempt 0)
[Mon Jul 18 17:24:01 2011] [debug]
mod_proxy_http.c(1966): proxy: HTTP:
serving URL http://oc-4200m2-42:11000/IPSversions/0/
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011):
proxy: HTTP: has
acquired connection for (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067):
proxy: connecting
http://oc-4200m2-42:11000/IPSversions/0/ to
oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193):
proxy: connected
/IPSversions/0/ to oc-4200m2-42:11000
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444):
proxy: HTTP: fam
2 socket created to connect to oc-4200m2-42
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576):
proxy: HTTP:
connection complete to X.X.X.X:11000 (oc-4200m2-42)
[Mon Jul 18 17:24:01 2011] [error] an unknown filter was
not added: DEFLATE
[Mon Jul 18 17:24:01 2011] [debug]
mod_proxy_http.c(1736): proxy: start
body send
[Mon Jul 18 17:24:01 2011] [debug]
mod_proxy_http.c(1840): proxy: end
body send
[Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029):
proxy: HTTP: has
released connection for (oc-4200m2-42)
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
