Hello Robert and Alessandro,
we get a similar error with a few Certificates after upgrading from
pound 2.7 to pound 2.8 on FreeBSD with openssl 1.0.2u.
A Tomcat behind the pound is reading the X-SSL-Certificate Header and
the header seems to get truncated on a few certificates. Which Version
did you upgrade from?
i tried to set the MAXBUF (pound.h) from 4096 to 8192 (this seems to be
also set in the new 3. Version) but this doesnt help. I will try to
gather more Information about this error. We first thought that the
length of the Certificate is the Problem (good cert 1666 bytes, bad cert
1672 bytes) but thats not the case. Other longer Certificates will work
but a few others wont, i dont see a pattern there.
Kind Regards,
Henrik
Am 15.10.20 um 20:42 schrieb pound-requ...@apsis.ch:
Send pound mailing list submissions to
pound@apsis.ch
To subscribe or unsubscribe via the World Wide Web, visit
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
or, via email, send a message with subject or body 'help' to
pound-requ...@apsis.ch
You can reach the person managing the list at
pound-ow...@apsis.ch
When replying, please edit your Subject line so it is more specific
than "Re: Contents of pound digest..."
Today's Topics:
1. Re: Pound-3.0e: Error when reading PEM file (Alessandro Baldoni)
----------------------------------------------------------------------
Message: 1
Date: Thu, 15 Oct 2020 06:56:42 +0000
From: Alessandro Baldoni <alessandro.bald...@romagnafaentina.it>
To: "pound@apsis.ch" <pound@apsis.ch>
Cc: Robert Segall <ro...@apsis.ch>
Subject: Re: [pound] Pound-3.0e: Error when reading PEM file
Message-ID:
<pr3pr10mb428607cf756463b946a8e33cfd...@pr3pr10mb4286.eurprd10.prod.outlook.com>
Content-Type: text/plain; charset="us-ascii"
Hello Robert, here is the output of pound and che content of the PEM file. I
also tried converting the PEM to DER but the error is the same.
debug option 5 /root/Pound-3.0e/src/config.c:631
start get_others /root/Pound-3.0e/src/config.c:563
start get_backends /root/Pound-3.0e/src/config.c:123
addr pound.comunefaenza.local /root/Pound-3.0e/src/config.c:139
port 885 /root/Pound-3.0e/src/config.c:142
push /root/Pound-3.0e/src/config.c:168
addr easytraffic.comunefaenza.local /root/Pound-3.0e/src/config.c:139
port 80 /root/Pound-3.0e/src/config.c:142
push /root/Pound-3.0e/src/config.c:168
start get_http /root/Pound-3.0e/src/config.c:277
addr 192.168.1.72 /root/Pound-3.0e/src/config.c:291
port 888 /root/Pound-3.0e/src/config.c:294
start get_services /root/Pound-3.0e/src/config.c:209
HeadRequire Host: .*apps.* /root/Pound-3.0e/src/config.c:237
URL .*/google0a441f3c9d875eed.html /root/Pound-3.0e/src/config.c:228
push /root/Pound-3.0e/src/config.c:258
push /root/Pound-3.0e/src/config.c:320
start get_https /root/Pound-3.0e/src/config.c:488
address 192.168.1.72 /root/Pound-3.0e/src/config.c:509
port 890 /root/Pound-3.0e/src/config.c:512
start get_certificates /root/Pound-3.0e/src/config.c:451
start get_one(/etc/pound/comune.faenza.ra.it.pem)
/root/Pound-3.0e/src/config.c:377
SNI: can't read key /etc/pound/comune.faenza.ra.it.pem, PK - Invalid key tag or
value
-----BEGIN CERTIFICATE-----
MIIHizCCBXOgAwIBAgIQS02wKH/WeiTmw37ODrURRTANBgkqhkiG9w0BAQsFADCB
iTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRl
IFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtB
Y3RhbGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMB4XDTIw
MDgxNDE1NTEyMFoXDTIxMDcwNTA2NTEyMFowgZcxCzAJBgNVBAYTAklUMRAwDgYD
VQQIDAdSYXZlbm5hMQ8wDQYDVQQHDAZGYWVuemExJjAkBgNVBAoMHVVuaW9uZSBk
ZWxsYSBSb21hZ25hIEZhZW50aW5hMR0wGwYDVQQLDBRTZXJ2aXppbyBJbmZvcm1h
dGljYTEeMBwGA1UEAwwVKi5jb211bmUuZmFlbnphLnJhLml0MIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjp08Nr2L9tpgft1KJxN4NvoOmTW4qwyioYzv
74Hp4kghjq5dh1xAAUbyGvRN3e/4RpTUaWGkB0BwTxwz2hXYtI8Pb+96XFVsaiOt
ecOwN7FlZNk7DHhySTxUIocWLrCbMW1weyT9fDy9dKZhg5CO+S+EPv2Hqq2QehHC
6rTWrOJ/rezjJbNdY3wcB2E4fsz5ClWDlBMCiIIqhT9lqajXTgq89eDWGqUeG6gN
JWpvYq7PqcBWYULHiyL/1A/Vj20ksydSdtG/QHf3492n9mRe3oL19VJ2XyG5BY6r
C94bdoM/2pdkVqfsrbb3sJip6Dte7AujAowxkNn7EOoirKteMQIDAQABo4IC3TCC
AtkwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSfirG18bHegvQnfL6Izd6pQ4Gj
SzB+BggrBgEFBQcBAQRyMHAwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0
YWxpcy5pdC9jZXJ0cy9hY3RhbGlzLWF1dGhvdmczMDEGCCsGAQUFBzABhiVodHRw
Oi8vb2NzcDA5LmFjdGFsaXMuaXQvVkEvQVVUSE9WLUczMDUGA1UdEQQuMCyCFSou
Y29tdW5lLmZhZW56YS5yYS5pdIITY29tdW5lLmZhZW56YS5yYS5pdDBRBgNVHSAE
SjBIMDwGBiuBHwETATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz
Lml0L2FyZWEtZG93bmxvYWQwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMC
BggrBgEFBQcDATBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp
cy5pdC9SZXBvc2l0b3J5L0FVVEhPVi1HMy9nZXRMYXN0Q1JMMB0GA1UdDgQWBBTL
O/sXravPyQYjMI5Kn4MlYd6ObDAOBgNVHQ8BAf8EBAMCBaAwggEEBgorBgEEAdZ5
AgQCBIH1BIHyAPAAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAA
AXPttEI5AAAEAwBIMEYCIQDIjAXgqi/N5OeuN5Ly86EjojiYQ2KQZos33qajjafu
PQIhAOnqKe72kuGNqJII3qwJw9VSqSw/zGeBZbpnd9fP8HDCAHUAfT7y+I//iFVo
JMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAFz7bRCEgAABAMARjBEAiAPYpVRbrLk
gLs8zzHklHEDwh5d5uHKjKOr98u25uqpLQIgMUjQKd8Lr6T6KZpjJGgBljEs0JHJ
T4JhDxHUV+T6gMwwDQYJKoZIhvcNAQELBQADggIBACc9oUHkROnDHQJYEEhlQqfh
pkS6dQv9lsiLGTDWkUEFbmXgSfZmoh8us7HcxD5X+OQTYAsdYmTOe4Lglr99KuZR
DRoC0RZrNQrHGyTsUCEp+nJsvEO83CWzEMDxBD9QXWTu3NTJbFjyEYk4YkMto/3I
SVExTHBQS1RK0tMZ8KHxBXIgc74DJS57xl6KT1dJzJzxfBTO8KmRQ3nm0m9jZPzM
vpEV7he2JRwN27k7iPtPqcsRKw/r6/bWgrMflQqR43KYvmT5OjYCNNB8OSXSsNsh
r6ZBlhlUknGPoCf/Fp5j0+6R8uL38BSi6Undi4zqXvegJXSjK+p0nqh4M//D17/v
BKTThShfs/VvsgBXSnOu3Zo4QG3OEszStHzdWBkgF8zamIx6lY9DRF9jij+JfVu9
I4akOlKW+RdHgWDYvqGpSBVYT6mCLtXWIdrVNwshOY+p85KdCf647BigPKgxqSgH
EjRyDWVE05vXhvIWtZsVKLmFLQxpwvHxTCagJRS2UcYfSmuxVihiesTD6H36qPDf
SR3DUpohUd3Kk1gBYQPiY1qJJdRlvzSprXut3p+mpm/Q+yz/BhCKZGH5UiIxLG38
DwneyyNs8WoT/DnXNG2caaCv9AtCCK9u0+f+Rmbz5lWmk6sUHFarTN9/RZKjIWrW
KK6QawmLAQnPNOe2nX2J
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIHdTCCBV2gAwIBAgIQXDs/N638KP4Pz9Or+D+FUTANBgkqhkiG9w0BAQsFADBr
MQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMg
Uy5wLkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0
aW9uIFJvb3QgQ0EwHhcNMjAwNzA2MDcyMDU1WhcNMzAwOTIyMTEyMjAyWjCBiTEL
MAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNh
biBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtBY3Rh
bGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs73Ch+t2owm3ayTkyqy0OPuCTiybxTyS
4cU4y0t2RGSwCNjLh/rcutO0yoriZxVtPrNMcIRQ544BQhHFt/ypW7e+t8wWKrHa
r3BkKwSUbqNwpDWP1bXs7IJTVhHXWGAm7Ak1FhrrBmtXk8QtdzTzDDuxfFBK7sCL
N0Jdqoqb1V1z3wsWqAvr4KlSCFW05Nh4baWm/kXOmb8U+XR6kUmuoVvia3iBhotR
TzAHTO9SWWkgjTcir/nhBvyL2RoqkgYyP/k50bznaVOGFnFWzfl0XnrM/salfCBh
O0/1vNaoU8elR6AtbdCFAupgQy95GuFIRVS8n/cF0QupfPjUl+kGSLzvGAc+6oNE
alpAhKIS/+P0uODzRrS9Eq0WX1iSj6KHtQMNN4ZKsS4nsuvYCahnAc0QwQyoduAW
iU/ynhU9WTIEe1VIoEDE79NPOI2/80RqbZqdpAKUaf0FvuqVXhEcjiJJu+d0w9YN
b7gurd6xkaSXemW/fP4idBiNkd8aCVAdshGQYn6yh+na0Lu5IG88Z2kSIFcXDtwy
zjcxkW86pwkO6GekEomVBNKcv0Cey2Smf8uhpZk15TSCeyFDrZBWH9OsDst/Tnhz
pN156Huw3M3RRdEegt33fcyPykgt0HThxrEv9DwOzhs6lCQ5RNQJO7ZvZF1ZiqgT
FOJ6vs1xMqECAwEAAaOCAfQwggHwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw
FoAUUtiIOsifeGbtifN7OHCUyQICNtAwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUF
BzABhiVodHRwOi8vb2NzcDA1LmFjdGFsaXMuaXQvVkEvQVVUSC1ST09UMEUGA1Ud
IAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz
Lml0L2FyZWEtZG93bmxvYWQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8vbGRhcDA1LmFjdGFsaXMu
aXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIwQ0EsbyUz
ZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNh
dGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3Rh
bGlzLml0L1JlcG9zaXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYE
FJ+KsbXxsd6C9Cd8vojN3qlDgaNLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0B
AQsFAAOCAgEAJbygMnKJ5M6byr5Ectq05ODqwNMtky8TEF3O55g6RHhxblf6OegZ
4ui4+ElHNOIXjycbeuUGuFA4LScCC9fnI1Rnn8TI2Q7OP5YWifEfnrdp99t/tJzQ
hfdi7ZTdRRZZGV9x+grfR/RtjT2C3Lt9X4lcbuSxTea3PHAwwi0A3bYRR1L5ciPm
eAnYtG9kpat8/RuC22oxiZZ5FdjU6wrRWkASRLiIwNcFIYfvpUbMWElaCUhqaB2y
YvWF8o02pnaYb4bvTCg4cVabVnojUuuXH81LeQhhsSXLwcdwSdew0NL4zCiNCn2Q
iDZpz2biCWDggibmWxsUUF6AbqMHnwsdS8vsKXiFQJHeAdNAhA+kwpqYAdhUiCdj
RTUdtRNUucLvZEN1OAvVYyog9xYCfhtkqgXQROMANP+Z/+yaZahaP/Vgak/V00se
Hdh7F+B6h5HVdwdh+17E2jl+aMTfyvBFcg2H/9Qjyl4TY8NW/6v0DPK52sVt8a35
I+7xLGLPohAl4z6pEf2OxgjMNfXXCXS33smRgz1dLQFo8UpAb3rf84zkXaqEI6Qi
2P+5pibVFQigRbn4RcE+K2a/nm2M/o+WZTSio+E+YXacnNk71VcO82biOof+jBKT
iC3Xi7rAlypmme+QFBw9F1J89ig3smV/HaN8tO0lfTpvm7Zvzd5TkMs=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
[Unione della Romagna Faentina]
[cid:3fc5fe72-f36b-49e1-8f93-362975ba17bc] dr. Alessandro Baldoni
[cid:cc9ddba0-6197-4edf-8b6a-8a82c90c2e10] Servizio Informatica
Via Severoli 7
48018 Faenza RA
[cid:af5282a0-32fb-422d-bb9c-84ee30423b6c] 0546 691224
[cid:7ca1bc1b-f1f0-4482-9894-ed41171a30d5]
alessandro.bald...@romagnafaentina.it
[cid:2e3e3331-f4e0-4191-a7a9-3625725bf282] p...@cert.romagnafaentina.it
________________________________
From: Robert Segall via pound <pound@apsis.ch>
Sent: Tuesday, October 13, 2020 18:29
To: pound@apsis.ch <pound@apsis.ch>
Cc: Robert Segall <ro...@apsis.ch>
Subject: Re: [pound] Pound-3.0e: Error when reading PEM file
Hallo Alessandro
Please run Pound with debug level 5 and show the result here, as well
as the PEM file in question (leave out the CONTENT of the private key)
and/or the certificate in human-readable form.
On Tue, 2020-10-13 at 16:21 +0000, Alessandro Baldoni via pound wrote:
Hello, I'm a pound 2 user and I'm trying out pound 3.0e.
In my test environment, when pound tries to read a PEM file (public
certificate+ca+private key) I get the error:
SNI: can't read key /etc/pound/comune.faenza.ra.it.pem
I've tinkered a bit with the source to get a more readable error:
SNI: can't read key /etc/pound/comune.faenza.ra.it.pem, PK - Invalid
key tag or value
The same file is correctly used by pound 2.
Kind regards,
Alessandro
--
Robert Segall
Apsis GmbH
Postfach, Uetikon am See, CH-8707
Tel: +41-32-512 30 19
--
pound mailing list
pound@apsis.ch
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-Unione del.png
Type: image/png
Size: 21962 bytes
Desc: Outlook-Unione del.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-iuz4ttgy.png
Type: image/png
Size: 1906 bytes
Desc: Outlook-iuz4ttgy.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-rkyhxjrk.png
Type: image/png
Size: 1931 bytes
Desc: Outlook-rkyhxjrk.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-dh0zjzts.png
Type: image/png
Size: 1814 bytes
Desc: Outlook-dh0zjzts.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-mxxog4vz.png
Type: image/png
Size: 1901 bytes
Desc: Outlook-mxxog4vz.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0004.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-qjuzmenv.png
Type: image/png
Size: 1969 bytes
Desc: Outlook-qjuzmenv.png
URL:
<https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0005.png>
------------------------------
Subject: Digest Footer
pound mailing list
pound@apsis.ch
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
------------------------------
End of pound Digest, Vol 11, Issue 6
************************************
--
pound mailing list
pound@apsis.ch
https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
