Pound 2.6 does not include support for SAN attributes on secondary certificates. You would need to run 2.7 for that feature.
Joe On 11/3/14, 3:18 PM, Todd Fleisher wrote: I'm having a problem using SNI/SAN certificates along with wildcard certificates. I have several hosts/domains being served by pound (v2.6/pcidss) and to simplify for the sake of this example, 2 Cert's defined under ListenHTTPS. CASE 1 If I order the certificates like this: Cert "/etc/ssl/private/wildcard.domain1.com.pem" # CN=*.domain1.com with X509v3 Subject Alternative Name: DNS:*.domain1.com, DNS:domain1.com Cert "/etc/ssl/private/domain2.com.pem" # CN=domain2.com with X509v3 Subject Alternative Name:domain2.com, DNS:www.domain2.com Then I get the following behaviors: 1) Requests for https://domain1.com/ succeed 2) Requests for https://www.domain1.com/ succeed 3) Requests for https://domain2.com/ succeed 4) Requests for https://www.domain2.com/ fail due to a naming mismatch when pound presents them with the wildcard.domain1.com.pem certificate CASE 2 If I order the certificates like this: Cert "/etc/ssl/private/domain2.com.pem" # CN=domain2.com with X509v3 Subject Alternative Name:domain2.com, DNS:www.domain2.com Cert "/etc/ssl/private/wildcard.domain1.com.pem" # CN=*.domain1.com with X509v3 Subject Alternative Name: DNS:*.domain1.com, DNS:domain1.com Then I get the following behaviors: 1) Requests for https://domain1.com/ fail due to a naming mistmatch when pound presents them with the domain2.com.pem certificate 2) Requests for https://www.domain1.com/ succeed 3) Requests for https://domain2.com/ succeed 4) Requests for https://www.domain2.com/ succeed Unless I'm missing something in how to configure pound to allow all the various SAN's & CN's to work together at the same time this feels like a bug in how the certificate CN & SAN values are being handled when multiple certificates are configured. I'd appreciate any help in sorting this out from a configuration or code perspective. Thanks, Todd
