Hello Henrik, the cert I'm using works fine with pound 2.8 on CentOS 6 (openssl 1.0.1e) I'm getting the error with pound 3.0e which no longer uses openssl but mbedtls.
Alessandro ________________________________ From: Henrik Rosenke via pound <[email protected]> Sent: Thursday, October 15, 2020 21:15 To: [email protected] <[email protected]> Cc: Henrik Rosenke <[email protected]> Subject: Re: [pound] Pound-3.0e: Error when reading PEM file Hello Robert and Alessandro, we get a similar error with a few Certificates after upgrading from pound 2.7 to pound 2.8 on FreeBSD with openssl 1.0.2u. A Tomcat behind the pound is reading the X-SSL-Certificate Header and the header seems to get truncated on a few certificates. Which Version did you upgrade from? i tried to set the MAXBUF (pound.h) from 4096 to 8192 (this seems to be also set in the new 3. Version) but this doesnt help. I will try to gather more Information about this error. We first thought that the length of the Certificate is the Problem (good cert 1666 bytes, bad cert 1672 bytes) but thats not the case. Other longer Certificates will work but a few others wont, i dont see a pattern there. Kind Regards, Henrik Am 15.10.20 um 20:42 schrieb [email protected]: > Send pound mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of pound digest..." > > > Today's Topics: > > 1. Re: Pound-3.0e: Error when reading PEM file (Alessandro Baldoni) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 15 Oct 2020 06:56:42 +0000 > From: Alessandro Baldoni <[email protected]> > To: "[email protected]" <[email protected]> > Cc: Robert Segall <[email protected]> > Subject: Re: [pound] Pound-3.0e: Error when reading PEM file > Message-ID: > > <pr3pr10mb428607cf756463b946a8e33cfd...@pr3pr10mb4286.eurprd10.prod.outlook.com> > > Content-Type: text/plain; charset="us-ascii" > > Hello Robert, here is the output of pound and che content of the PEM file. I > also tried converting the PEM to DER but the error is the same. > > debug option 5 /root/Pound-3.0e/src/config.c:631 > start get_others /root/Pound-3.0e/src/config.c:563 > start get_backends /root/Pound-3.0e/src/config.c:123 > addr pound.comunefaenza.local /root/Pound-3.0e/src/config.c:139 > port 885 /root/Pound-3.0e/src/config.c:142 > push /root/Pound-3.0e/src/config.c:168 > addr easytraffic.comunefaenza.local /root/Pound-3.0e/src/config.c:139 > port 80 /root/Pound-3.0e/src/config.c:142 > push /root/Pound-3.0e/src/config.c:168 > start get_http /root/Pound-3.0e/src/config.c:277 > addr 192.168.1.72 /root/Pound-3.0e/src/config.c:291 > port 888 /root/Pound-3.0e/src/config.c:294 > start get_services /root/Pound-3.0e/src/config.c:209 > HeadRequire Host: .*apps.* /root/Pound-3.0e/src/config.c:237 > URL .*/google0a441f3c9d875eed.html /root/Pound-3.0e/src/config.c:228 > push /root/Pound-3.0e/src/config.c:258 > push /root/Pound-3.0e/src/config.c:320 > start get_https /root/Pound-3.0e/src/config.c:488 > address 192.168.1.72 /root/Pound-3.0e/src/config.c:509 > port 890 /root/Pound-3.0e/src/config.c:512 > start get_certificates /root/Pound-3.0e/src/config.c:451 > start get_one(/etc/pound/comune.faenza.ra.it.pem) > /root/Pound-3.0e/src/config.c:377 > SNI: can't read key /etc/pound/comune.faenza.ra.it.pem, PK - Invalid key tag > or value > > -----BEGIN CERTIFICATE----- > MIIHizCCBXOgAwIBAgIQS02wKH/WeiTmw37ODrURRTANBgkqhkiG9w0BAQsFADCB > iTELMAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRl > IFNhbiBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtB > Y3RhbGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMB4XDTIw > MDgxNDE1NTEyMFoXDTIxMDcwNTA2NTEyMFowgZcxCzAJBgNVBAYTAklUMRAwDgYD > VQQIDAdSYXZlbm5hMQ8wDQYDVQQHDAZGYWVuemExJjAkBgNVBAoMHVVuaW9uZSBk > ZWxsYSBSb21hZ25hIEZhZW50aW5hMR0wGwYDVQQLDBRTZXJ2aXppbyBJbmZvcm1h > dGljYTEeMBwGA1UEAwwVKi5jb211bmUuZmFlbnphLnJhLml0MIIBIjANBgkqhkiG > 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjp08Nr2L9tpgft1KJxN4NvoOmTW4qwyioYzv > 74Hp4kghjq5dh1xAAUbyGvRN3e/4RpTUaWGkB0BwTxwz2hXYtI8Pb+96XFVsaiOt > ecOwN7FlZNk7DHhySTxUIocWLrCbMW1weyT9fDy9dKZhg5CO+S+EPv2Hqq2QehHC > 6rTWrOJ/rezjJbNdY3wcB2E4fsz5ClWDlBMCiIIqhT9lqajXTgq89eDWGqUeG6gN > JWpvYq7PqcBWYULHiyL/1A/Vj20ksydSdtG/QHf3492n9mRe3oL19VJ2XyG5BY6r > C94bdoM/2pdkVqfsrbb3sJip6Dte7AujAowxkNn7EOoirKteMQIDAQABo4IC3TCC > AtkwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSfirG18bHegvQnfL6Izd6pQ4Gj > SzB+BggrBgEFBQcBAQRyMHAwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnQuYWN0 > YWxpcy5pdC9jZXJ0cy9hY3RhbGlzLWF1dGhvdmczMDEGCCsGAQUFBzABhiVodHRw > Oi8vb2NzcDA5LmFjdGFsaXMuaXQvVkEvQVVUSE9WLUczMDUGA1UdEQQuMCyCFSou > Y29tdW5lLmZhZW56YS5yYS5pdIITY29tdW5lLmZhZW56YS5yYS5pdDBRBgNVHSAE > SjBIMDwGBiuBHwETATAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz > Lml0L2FyZWEtZG93bmxvYWQwCAYGZ4EMAQICMB0GA1UdJQQWMBQGCCsGAQUFBwMC > BggrBgEFBQcDATBIBgNVHR8EQTA/MD2gO6A5hjdodHRwOi8vY3JsMDkuYWN0YWxp > cy5pdC9SZXBvc2l0b3J5L0FVVEhPVi1HMy9nZXRMYXN0Q1JMMB0GA1UdDgQWBBTL > O/sXravPyQYjMI5Kn4MlYd6ObDAOBgNVHQ8BAf8EBAMCBaAwggEEBgorBgEEAdZ5 > AgQCBIH1BIHyAPAAdwBVgdTCFpA2AUrqC5tXPFPwwOQ4eHAlCBcvo6odBxPTDAAA > AXPttEI5AAAEAwBIMEYCIQDIjAXgqi/N5OeuN5Ly86EjojiYQ2KQZos33qajjafu > PQIhAOnqKe72kuGNqJII3qwJw9VSqSw/zGeBZbpnd9fP8HDCAHUAfT7y+I//iFVo > JMLAyp5SiXkrxQ54CX8uapdomX4i8NcAAAFz7bRCEgAABAMARjBEAiAPYpVRbrLk > gLs8zzHklHEDwh5d5uHKjKOr98u25uqpLQIgMUjQKd8Lr6T6KZpjJGgBljEs0JHJ > T4JhDxHUV+T6gMwwDQYJKoZIhvcNAQELBQADggIBACc9oUHkROnDHQJYEEhlQqfh > pkS6dQv9lsiLGTDWkUEFbmXgSfZmoh8us7HcxD5X+OQTYAsdYmTOe4Lglr99KuZR > DRoC0RZrNQrHGyTsUCEp+nJsvEO83CWzEMDxBD9QXWTu3NTJbFjyEYk4YkMto/3I > SVExTHBQS1RK0tMZ8KHxBXIgc74DJS57xl6KT1dJzJzxfBTO8KmRQ3nm0m9jZPzM > vpEV7he2JRwN27k7iPtPqcsRKw/r6/bWgrMflQqR43KYvmT5OjYCNNB8OSXSsNsh > r6ZBlhlUknGPoCf/Fp5j0+6R8uL38BSi6Undi4zqXvegJXSjK+p0nqh4M//D17/v > BKTThShfs/VvsgBXSnOu3Zo4QG3OEszStHzdWBkgF8zamIx6lY9DRF9jij+JfVu9 > I4akOlKW+RdHgWDYvqGpSBVYT6mCLtXWIdrVNwshOY+p85KdCf647BigPKgxqSgH > EjRyDWVE05vXhvIWtZsVKLmFLQxpwvHxTCagJRS2UcYfSmuxVihiesTD6H36qPDf > SR3DUpohUd3Kk1gBYQPiY1qJJdRlvzSprXut3p+mpm/Q+yz/BhCKZGH5UiIxLG38 > DwneyyNs8WoT/DnXNG2caaCv9AtCCK9u0+f+Rmbz5lWmk6sUHFarTN9/RZKjIWrW > KK6QawmLAQnPNOe2nX2J > -----END CERTIFICATE----- > -----BEGIN CERTIFICATE----- > MIIHdTCCBV2gAwIBAgIQXDs/N638KP4Pz9Or+D+FUTANBgkqhkiG9w0BAQsFADBr > MQswCQYDVQQGEwJJVDEOMAwGA1UEBwwFTWlsYW4xIzAhBgNVBAoMGkFjdGFsaXMg > Uy5wLkEuLzAzMzU4NTIwOTY3MScwJQYDVQQDDB5BY3RhbGlzIEF1dGhlbnRpY2F0 > aW9uIFJvb3QgQ0EwHhcNMjAwNzA2MDcyMDU1WhcNMzAwOTIyMTEyMjAyWjCBiTEL > MAkGA1UEBhMCSVQxEDAOBgNVBAgMB0JlcmdhbW8xGTAXBgNVBAcMEFBvbnRlIFNh > biBQaWV0cm8xFzAVBgNVBAoMDkFjdGFsaXMgUy5wLkEuMTQwMgYDVQQDDCtBY3Rh > bGlzIE9yZ2FuaXphdGlvbiBWYWxpZGF0ZWQgU2VydmVyIENBIEczMIICIjANBgkq > hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAs73Ch+t2owm3ayTkyqy0OPuCTiybxTyS > 4cU4y0t2RGSwCNjLh/rcutO0yoriZxVtPrNMcIRQ544BQhHFt/ypW7e+t8wWKrHa > r3BkKwSUbqNwpDWP1bXs7IJTVhHXWGAm7Ak1FhrrBmtXk8QtdzTzDDuxfFBK7sCL > N0Jdqoqb1V1z3wsWqAvr4KlSCFW05Nh4baWm/kXOmb8U+XR6kUmuoVvia3iBhotR > TzAHTO9SWWkgjTcir/nhBvyL2RoqkgYyP/k50bznaVOGFnFWzfl0XnrM/salfCBh > O0/1vNaoU8elR6AtbdCFAupgQy95GuFIRVS8n/cF0QupfPjUl+kGSLzvGAc+6oNE > alpAhKIS/+P0uODzRrS9Eq0WX1iSj6KHtQMNN4ZKsS4nsuvYCahnAc0QwQyoduAW > iU/ynhU9WTIEe1VIoEDE79NPOI2/80RqbZqdpAKUaf0FvuqVXhEcjiJJu+d0w9YN > b7gurd6xkaSXemW/fP4idBiNkd8aCVAdshGQYn6yh+na0Lu5IG88Z2kSIFcXDtwy > zjcxkW86pwkO6GekEomVBNKcv0Cey2Smf8uhpZk15TSCeyFDrZBWH9OsDst/Tnhz > pN156Huw3M3RRdEegt33fcyPykgt0HThxrEv9DwOzhs6lCQ5RNQJO7ZvZF1ZiqgT > FOJ6vs1xMqECAwEAAaOCAfQwggHwMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgw > FoAUUtiIOsifeGbtifN7OHCUyQICNtAwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUF > BzABhiVodHRwOi8vb2NzcDA1LmFjdGFsaXMuaXQvVkEvQVVUSC1ST09UMEUGA1Ud > IAQ+MDwwOgYEVR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hY3RhbGlz > Lml0L2FyZWEtZG93bmxvYWQwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB > MIHjBgNVHR8EgdswgdgwgZaggZOggZCGgY1sZGFwOi8vbGRhcDA1LmFjdGFsaXMu > aXQvY24lM2RBY3RhbGlzJTIwQXV0aGVudGljYXRpb24lMjBSb290JTIwQ0EsbyUz > ZEFjdGFsaXMlMjBTLnAuQS4lMmYwMzM1ODUyMDk2NyxjJTNkSVQ/Y2VydGlmaWNh > dGVSZXZvY2F0aW9uTGlzdDtiaW5hcnkwPaA7oDmGN2h0dHA6Ly9jcmwwNS5hY3Rh > bGlzLml0L1JlcG9zaXRvcnkvQVVUSC1ST09UL2dldExhc3RDUkwwHQYDVR0OBBYE > FJ+KsbXxsd6C9Cd8vojN3qlDgaNLMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0B > AQsFAAOCAgEAJbygMnKJ5M6byr5Ectq05ODqwNMtky8TEF3O55g6RHhxblf6OegZ > 4ui4+ElHNOIXjycbeuUGuFA4LScCC9fnI1Rnn8TI2Q7OP5YWifEfnrdp99t/tJzQ > hfdi7ZTdRRZZGV9x+grfR/RtjT2C3Lt9X4lcbuSxTea3PHAwwi0A3bYRR1L5ciPm > eAnYtG9kpat8/RuC22oxiZZ5FdjU6wrRWkASRLiIwNcFIYfvpUbMWElaCUhqaB2y > YvWF8o02pnaYb4bvTCg4cVabVnojUuuXH81LeQhhsSXLwcdwSdew0NL4zCiNCn2Q > iDZpz2biCWDggibmWxsUUF6AbqMHnwsdS8vsKXiFQJHeAdNAhA+kwpqYAdhUiCdj > RTUdtRNUucLvZEN1OAvVYyog9xYCfhtkqgXQROMANP+Z/+yaZahaP/Vgak/V00se > Hdh7F+B6h5HVdwdh+17E2jl+aMTfyvBFcg2H/9Qjyl4TY8NW/6v0DPK52sVt8a35 > I+7xLGLPohAl4z6pEf2OxgjMNfXXCXS33smRgz1dLQFo8UpAb3rf84zkXaqEI6Qi > 2P+5pibVFQigRbn4RcE+K2a/nm2M/o+WZTSio+E+YXacnNk71VcO82biOof+jBKT > iC3Xi7rAlypmme+QFBw9F1J89ig3smV/HaN8tO0lfTpvm7Zvzd5TkMs= > -----END CERTIFICATE----- > -----BEGIN RSA PRIVATE KEY----- > -----END RSA PRIVATE KEY----- > > > > [Unione della Romagna Faentina] > [cid:3fc5fe72-f36b-49e1-8f93-362975ba17bc] dr. Alessandro Baldoni > [cid:cc9ddba0-6197-4edf-8b6a-8a82c90c2e10] Servizio Informatica > Via Severoli 7 > 48018 Faenza RA > [cid:af5282a0-32fb-422d-bb9c-84ee30423b6c] 0546 691224 > [cid:7ca1bc1b-f1f0-4482-9894-ed41171a30d5] > [email protected] > [cid:2e3e3331-f4e0-4191-a7a9-3625725bf282] [email protected] > ________________________________ > From: Robert Segall via pound <[email protected]> > Sent: Tuesday, October 13, 2020 18:29 > To: [email protected] <[email protected]> > Cc: Robert Segall <[email protected]> > Subject: Re: [pound] Pound-3.0e: Error when reading PEM file > > Hallo Alessandro > > Please run Pound with debug level 5 and show the result here, as well > as the PEM file in question (leave out the CONTENT of the private key) > and/or the certificate in human-readable form. > > On Tue, 2020-10-13 at 16:21 +0000, Alessandro Baldoni via pound wrote: >> Hello, I'm a pound 2 user and I'm trying out pound 3.0e. >> In my test environment, when pound tries to read a PEM file (public >> certificate+ca+private key) I get the error: >> >> SNI: can't read key /etc/pound/comune.faenza.ra.it.pem >> >> I've tinkered a bit with the source to get a more readable error: >> >> SNI: can't read key /etc/pound/comune.faenza.ra.it.pem, PK - Invalid >> key tag or value >> >> The same file is correctly used by pound 2. >> >> Kind regards, >> >> Alessandro > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-32-512 30 19 > > > -- > pound mailing list > [email protected] > https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment.htm> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-Unione del.png > Type: image/png > Size: 21962 bytes > Desc: Outlook-Unione del.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment.png> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-iuz4ttgy.png > Type: image/png > Size: 1906 bytes > Desc: Outlook-iuz4ttgy.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0001.png> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-rkyhxjrk.png > Type: image/png > Size: 1931 bytes > Desc: Outlook-rkyhxjrk.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0002.png> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-dh0zjzts.png > Type: image/png > Size: 1814 bytes > Desc: Outlook-dh0zjzts.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0003.png> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-mxxog4vz.png > Type: image/png > Size: 1901 bytes > Desc: Outlook-mxxog4vz.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0004.png> > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: Outlook-qjuzmenv.png > Type: image/png > Size: 1969 bytes > Desc: Outlook-qjuzmenv.png > URL: > <https://admin.hostpoint.ch/pipermail/pound_apsis.ch/attachments/20201015/4b865b0e/attachment-0005.png> > > ------------------------------ > > Subject: Digest Footer > > pound mailing list > [email protected] > https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch > > > ------------------------------ > > End of pound Digest, Vol 11, Issue 6 > ************************************ -- pound mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
-- pound mailing list [email protected] https://admin.hostpoint.ch/mailman/listinfo/pound_apsis.ch
