[Pound Mailing List] SNI enabled HTTPS backend

Tue, 19 Apr 2016 22:58:06 -0700 

Hi,

tl;dr: Does pound support SNI-enabled HTTPS backends?


I have pound working fine terminating HTTPS and passing it to HTTP backends, 
but I need to add another service which uses HTTPS on its own. So I've added:

ListenHTTPS
  HeadRemove "X-Forwarded-Proto"
  HeadRemove "X-Forwarded-For"
  AddHeader "X-Forwarded-Proto: https"
  Cert "/etc/ssl/private/wildcard-keycert_bundle.pem"
  Address 192.168.11.10
  Port 443

  Service
    HeadRequire "Host: .*www.domain.com.*"

    BackEnd
      Address 192.168.33.9
      Port 443
      HTTPS
     End
 
   BackEnd
     Address 192.168.33.10
     Port 443
     HTTPS
   End

  End
End

But the browser only gets 'The service is not available. Please try again 
later.' while syslog on pound host only logs:

pound: BIO_do_handshake with 192.168.33.10:443 failed: 
error:00000000:lib(0):func(0):reason(0)


The BackEnd is Microsoft's Web Application Proxy which I don't have direct 
access to, so can't check its running config nor logs, but I think its 
SNI-enabled because:

If I curl it using it's name I get what I expect, when I only use its IP:
curl -kiv https://192.168.33.10
* Rebuilt URL to: https://192.168.33.10/
* Hostname was NOT found in DNS cache
* Trying 192.168.33.10...
* Connected to 192.168.33.10 (192.168.33.10) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
 CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 192.168.33.10:443 
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to 192.168.33.10:443


same goes for when using openssl s_client without -servername param set:

openssl s_client -connect 192.168.33.10:443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

while with proper name s_client connects and certs get verified correctly.


Does anyone use pound with SNI backends?
If it's not supported yet, is it on the roadmap?

It seems my only option is to reconfigure WAP so it serves the site I'm 
interested in to be the default when SNI is not presented.

Thanks
Grzegorz

P.S
It's my first post on this mailing list so please be gentle :)

--
To unsubscribe send an email with subject unsubscribe to [email protected].
Please contact [email protected] for questions.

Reply via email to