On Wed, 2011-08-10 at 16:20 -0700, Amol Chiplunkar wrote: > Revisiting this again... > It's working perfectly fine when the host name is part of the pkg > set-publisher URL argument > > However, if the web server is accessible only with the ip address or via > FQDN, the SSL handshake > fails. I presume it won't also work for localhost, and any host aliases. > I tried providing "*.hostname" or "hostname.*" as common name, but it > did not work. > I don't think URL redirection is possible before the SSL handshake. > > Is there a way to disable the Common Name check when pkg set-publisher > connects to an https > port, and when the certificate is already present in the trust store ?
Have you tried to create a certificate with subjectAltName and set this to all the URLs you want to work: http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_ Erik > > thanks > - Amol > > > On 7/27/2011 4:02 PM, Amol Chiplunkar wrote: > > On 07/27/11 13:00, Erik Trauschke wrote: > >> On Wed, 2011-07-27 at 10:32 -0700, Amol Chiplunkar wrote: > >>> On 7/27/2011 10:16 AM, Erik Trauschke wrote: > >>>> On Wed, 2011-07-27 at 09:53 -0700, Amol Chiplunkar wrote: > >>>> > >>>>>> Well, do your certs have the CNs properly set? > > > > Well that was it. > > I changed the cert generation process to correctly pick up a CN and > > it's working now !! > > Thanks a lot ! > > > > - Amol > > > >>>>> How do I ensure that ? > >>>>> I am not even setting the CNs on the client side, just obtaining the > >>>>> cert via openssl > >>>> I suggest you look up how to do client cert verification in apache in > >>>> general. > >>> oh wait.. > >>> So when pkg runs, is it trying to just verify the server ( by > >>> validating it's cert ) > >>> or is it trying to request the webserver to authenticate it as a > >>> client ? > >>> > >>> My understanding is it's the former ( just trying to validate the > >>> cert ) > >> > >> Both is happening. The client is verifying the servers cert against it's > >> stored CA certs. The server is verifying the cert the client presents to > >> it to verify if the user is allowed to have access to this location. > >> > >> I don't know what you are trying to achieve but if you just want to have > >> SSL-protected pkg transfers you don't need client verification. This is > >> just required if you want to limit access to users with the right cert. > >> > >> Erik > >> > >>> thanks > >>> - Amol > >>> > >>>> Just secure a simple directory on your server with it. Once > >>>> that works you just put a proxy statement in the Location section for > >>>> this directory. > >>>> > >>>>> Besides, it looks like the issue is more with apache / ssl than > >>>>> anything else. > >>>>> ( Not IPS ) > >>>> You're right, it' not an IPS issue. Try to get it working in > >>>> general, if > >>>> you still have issues with the IPS part afterwards we can go from > >>>> there. > >>>> > >>>> Erik > >>>> > >>>> > >>>>> thanks > >>>>> - Amol > >>>>> > >>>>> > >>>>> > >>>>>> Erik > >>>>>> > >>>>>> > >>>>>>>> Erik > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>>> > >>>>>>>>> > >>>>>>>>>> So you'd create a httpd.conf like this: > >>>>>>>>>> --- > >>>>>>>>>> SSLEngine On > >>>>>>>>>> > >>>>>>>>>> # Cert paths > >>>>>>>>>> SSLCertificateFile /path/to/apache2/certs/server.crt > >>>>>>>>>> SSLCertificateKeyFile /path/to/apache2/certs/server.key > >>>>>>>>>> > >>>>>>>>>> # intermediate CA cert > >>>>>>>>>> SSLCertificateChainFile > >>>>>>>>>> /path/to/apache2/certs/ca_intermediate.pem > >>>>>>>>>> > >>>>>>>>>> # CA certs for client verification (concatenated in one file) > >>>>>>>>>> SSLCACertificateFile /path/to/apache2/certs/ca_combined.pem > >>>>>>>>>> > >>>>>>>>>> # CRL (optional) > >>>>>>>>>> SSLCARevocationFile /path/to/apache2/certs/crl.pem > >>>>>>>>>> > >>>>>>>>>> <Location /private> > >>>>>>>>>> SSLVerifyClient require > >>>>>>>>>> SSLVerifyDepth 1 > >>>>>>>>>> # example: only certs with subject [email protected] are allowed > >>>>>>>>>> SSLRequire ( %{SSL_CLIENT_S_DN_CN} =~ m/[email protected]/ ) > >>>>>>>>>> ProxyPass http://depot_server:12345 nocanon max=500 > >>>>>>>>>> </Location> > >>>>>>>>>> --- > >>>>>>>>>> > >>>>>>>>>> Erik > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> Thanks > >>>>>>>>>>> Amol > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>>> Brock > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>>> However, I would now expect > >>>>>>>>>>>>> pkg set-publisher -G '*' -g https://Host:<secure http > >>>>>>>>>>>>> port> solaris > >>>>>>>>>>>>> to work ! > >>>>>>>>>>>>> But it errors out saying > >>>>>>>>>>>>> Framework error: code: 35 reason: error:140770FC:SSL > >>>>>>>>>>>>> routines:SSL23_GET_SERVER_HELLO:unknown protocol > >>>>>>>>>>>>> > >>>>>>>>>>>>> Wondering if it's the right set of commands ? > >>>>>>>>>>>>> Is the approved-ca-cert meant to work with a reverse proxy > >>>>>>>>>>>>> in the first place ?? > >>>>>>>>>>>>> Because looking at the doc, it seems the cert has to be > >>>>>>>>>>>>> configured with the actual IPS repo. > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> please suggest > >>>>>>>>>>>>> > >>>>>>>>>>>>> thx > >>>>>>>>>>>>> - Amol > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Erik > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy_http.c(56): > >>>>>>>>>>>>>>> proxy: HTTP: > >>>>>>>>>>>>>>> canonicalising URL //oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(1506): > >>>>>>>>>>>>>>> [client ] proxy: > >>>>>>>>>>>>>>> http: found worker http://oc-4200m2-42:11000/IPS for > >>>>>>>>>>>>>>> http://oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] mod_proxy.c(993): > >>>>>>>>>>>>>>> Running scheme http > >>>>>>>>>>>>>>> handler (attempt 0) > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] > >>>>>>>>>>>>>>> mod_proxy_http.c(1966): proxy: HTTP: > >>>>>>>>>>>>>>> serving URL http://oc-4200m2-42:11000/IPSversions/0/ > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2011): > >>>>>>>>>>>>>>> proxy: HTTP: has > >>>>>>>>>>>>>>> acquired connection for (oc-4200m2-42) > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2067): > >>>>>>>>>>>>>>> proxy: connecting > >>>>>>>>>>>>>>> http://oc-4200m2-42:11000/IPSversions/0/ to > >>>>>>>>>>>>>>> oc-4200m2-42:11000 > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2193): > >>>>>>>>>>>>>>> proxy: connected > >>>>>>>>>>>>>>> /IPSversions/0/ to oc-4200m2-42:11000 > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2444): > >>>>>>>>>>>>>>> proxy: HTTP: fam > >>>>>>>>>>>>>>> 2 socket created to connect to oc-4200m2-42 > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2576): > >>>>>>>>>>>>>>> proxy: HTTP: > >>>>>>>>>>>>>>> connection complete to X.X.X.X:11000 (oc-4200m2-42) > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [error] an unknown filter was > >>>>>>>>>>>>>>> not added: DEFLATE > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] > >>>>>>>>>>>>>>> mod_proxy_http.c(1736): proxy: start > >>>>>>>>>>>>>>> body send > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] > >>>>>>>>>>>>>>> mod_proxy_http.c(1840): proxy: end > >>>>>>>>>>>>>>> body send > >>>>>>>>>>>>>>> [Mon Jul 18 17:24:01 2011] [debug] proxy_util.c(2029): > >>>>>>>>>>>>>>> proxy: HTTP: has > >>>>>>>>>>>>>>> released connection for (oc-4200m2-42) > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>>>>>>> [email protected] > >>>>>>>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>>>>> [email protected] > >>>>>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>>>> [email protected] > >>>>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>> _______________________________________________ > >>>>>>>>>>> pkg-discuss mailing list > >>>>>>>>>>> [email protected] > >>>>>>>>>>> http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> > >> > >> > > > > _______________________________________________ > > pkg-discuss mailing list > > [email protected] > > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss > _______________________________________________ > pkg-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/pkg-discuss _______________________________________________ pkg-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
