Article delegate-en/1120 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A1117@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] sslway client auth problem
25 Apr 2001 06:48:28 GMT Roger Buck <peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>
-= Studio of Arts And Sciences =-


After a lot of exprimentation I found that Delegate is "choosey" about
paths.

For example, the  sslway "-CApath dir" option would not work with
"-CApath /lib" where "lib" dir is  a  sub-dir of delegated chroot... it
would also not work with full path to system root
"/var/spool/nobody-delegated/lib.

> -- REPLYING TO THE FOLLOWING MESSAGE --
> From: Roger Buck <peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>
> Date: 22 Apr 2001 11:32:36 GMT
> Message-ID: <_A1117@delegate-en.ML_>
> --
> Using delegated-7.1.2 + sslway on Linux RH6.2,
> I cannot get sslway to accept client certificates
> (server certificates load correctly).
> 
> First error message from delegated log is
> "unable to get local issuer certificate"


When I used "-CApath ./lib"  or  "-CApath lib" all was OK.

I experienced similar problems for  "-CAfile"

After solving this problem, deleagte now correctly accepts client
certification (using -Vrfy) but I now have two new problems.

Following client verification, I get continuous prompts to re-load
certificate - maybe 5 or 6 times before I can view a single document.
Often the browser will crash suddenly (see above for version info).

Using same certificates and destination host:port setup, I do not have
same problem when using stunnel ( http://www.stunnel.org/ )


Does anyone have any ideas or hints to put me on right track?

Regards,

R.

I will append some (trucated) delegated log info:

04/25 15:18:19.81 [20419] 0+0: --INITIALIZATION START: 7.1.2 on
Linux/2.2.16-3--
04/25 15:18:19.81 [20420] 0+0: -- Fork(daemon): 1 -> 20420
04/25 15:18:19.81 [20420] 0+0:
server_open(delegate,203.28.124.35:443,listen=20)
04/25 15:18:19.82 [20420] 0+0: server_open: 203.28.124.35:443
04/25 15:18:19.82 [20420] 0+0: server_open(delegate,203.28.124.35:443)
BOUND
04/25 15:18:19.82 [20420] 0+0: ##DeleGate/6.X:
DGROOT=/var/spool/delegate-nobody is set automatically. DGROOT="" will
make it compatible with former versions.
04/25 15:18:19.82 [20420] 0+0: DGROOT=/var/spool/delegate-nobody^M
04/25 15:18:19.82 [20420] 0+0: <DeleGate/7.1.2 by ysato@delegate.org>
[20420] -P203.28.124.35:443 READY^M
04/25 15:18:19.82 [20420] 0+0: PORT= 203.28.124.35:443/7 (0,203)
04/25 15:18:19.82 [20420] 0+0: OWNER=nobody =>
OWNER=nobody/nobody(nobody/nobody)
04/25 15:18:19.82 [20420] 0+0: ##DeleGate/6.X: MIMECONV=thru is set by
default. MIMECONV="" will make it compatible with former versions.
04/25 15:18:19.82 [20420] 0+0: REMITTABLE = http,https,ftp,file
04/25 15:18:19.82 [20420] 0+0: LIBPATH: sslway ->
/var/spool/delegate-nobody/lib/sslway
04/25 15:18:19.82 [20420] 0+0: ADMIN=webmaster@saas..au
protocol=https(specialist)
04/25 15:18:19.82 [20420] 0+0: ##DeleGate/6.X: created directory/file
will be non-sharable. SHARE="" will make it compatible with former
versions.
04/25 15:18:19.82 [20420] 0+0:
WORKDIR=/var/spool/delegate-nobody/work/203.28.124.35:443
04/25 15:18:19.82 [20420] 0+0: MOUNT[0]=[0] /-* = 
04/25 15:18:19.82 [20420] 0+0: MOUNT[1]=[1] /=* = 
04/25 15:18:19.82 [20420] 0+0: MOUNT[2]=[2] /* http://203.28.124.13/* 
04/25 15:18:19.82 [20420] 0+0: env[19]
LIBPATH=.:/var/spool/delegate-nobody:/var/spool/delegate-nobody/lib:/var/spool/delegate-nobody/bin
04/25 15:18:19.82 [20420] 0+0: arg[2] ADMIN=webmaster@saas..au
04/25 15:18:19.82 [20420] 0+0: arg[4] FCL=sslway -Vrfy -CApath ./lib
04/25 15:18:19.82 [20420] 0+0: arg[5] SERVER=https
04/25 15:18:19.82 [20420] 0+0: arg[6] RELAY=novhost
04/25 15:18:19.82 [20420] 0+0: arg[7] MOUNT=/* http://203.28.124.13/*
04/25 15:18:19.82 [20420] 0+0: arg[8] PERMIT=*:*:*
04/25 15:18:19.82 [20420] 0+0: arg[9]
REACHABLE=.localnet,203.28.124.*,202.14.128.*
04/25 15:18:19.82 [20420] 0+0: arg[10] RELIABLE=*
04/25 15:18:19.82 [20420] 0+0: arg[11] REMITTABLE=http,https,ftp,file
04/25 15:18:19.82 [20420] 0+0: arg[12] CACHE=no
04/25 15:18:19.82 [20420] 0+0: arg[13] CRON=15 2 * * * -expire 3
04/25 15:18:19.82 [20420] 0+0: arg[14] CRON=45 2 * * * -restart
04/25 15:18:19.82 [20420] 0+0: DELEGATE_Modified[1]: 3ae65e1b
04/25 15:18:19.82 [20420] 0+0: --INITIALIZATION DONE--
04/25 15:18:34.33 [20421] 1+0: -- Fork(OnetimeServer): 20420 -> 20421
04/25 15:18:34.33 [20421] 1+0: (0) accepted [22]
-@[203.28.124.38]nux.saas.nsw.edu.au:4511 (0.004s)(1)
04/25 15:18:34.33 [20421] 1+0: PATH:
https://-:443!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4511!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:34.34 [20422] 1+0: -- Fork(FCL): 20421 -> 20422
04/25 15:18:34.34 [20422] 1+0: #### execFilter[FCL]
[/var/spool/delegate-nobody/lib/sslway]sslway -Vrfy -CApath ./lib
04/25 15:18:34.35 [20423] 2+0: -- Fork(OnetimeServer): 20420 -> 20423
04/25 15:18:34.35 [20423] 2+0: (2) accepted [42]
-@[203.28.124.38]nux.saas.nsw.edu.au:4512 (0.004s)(2)
04/25 15:18:34.35 [20423] 2+0: PATH:
https://-:443!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4512!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:34.35 [20424] 2+0: -- Fork(FCL): 20423 -> 20424
04/25 15:18:34.36 [20424] 2+0: #### execFilter[FCL]
[/var/spool/delegate-nobody/lib/sslway]sslway -Vrfy -CApath ./lib
04/25 15:18:34.37 [20425] 3+0: -- Fork(OnetimeServer): 20420 -> 20425
04/25 15:18:34.37 [20425] 3+0: (4) accepted [30]
-@[203.28.124.38]nux.saas.nsw.edu.au:4513 (0.004s)(3)
04/25 15:18:34.37 [20425] 3+0: PATH:
https://-:443!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4513!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:34.37 [20426] 3+0: -- Fork(FCL): 20425 -> 20426
04/25 15:18:34.38 [20426] 3+0: #### execFilter[FCL]
[/var/spool/delegate-nobody/lib/sslway]sslway -Vrfy -CApath ./lib
04/25 15:18:34.39 [20427] 4+0: -- Fork(OnetimeServer): 20420 -> 20427
04/25 15:18:34.39 [20427] 4+0: (6) accepted [49]
-@[203.28.124.38]nux.saas.nsw.edu.au:4514 (0.004s)(4)
04/25 15:18:34.39 [20427] 4+0: PATH:
https://-:443!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4514!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:34.39 [20428] 4+0: -- Fork(FCL): 20427 -> 20428
04/25 15:18:34.40 [20428] 4+0: #### execFilter[FCL]
[/var/spool/delegate-nobody/lib/sslway]sslway -Vrfy -CApath ./lib
## SSLway[20426](nux.saas.nsw.edu.au) depth=2/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-ROOT/Email=webmaster@saas..au
## SSLway[20426](nux.saas.nsw.edu.au) depth=1/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au
## SSLway[20426](nux.saas.nsw.edu.au) depth=0/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org
## SSLway[20428](nux.saas.nsw.edu.au) depth=2/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-ROOT/Email=webmaster@saas..au
## SSLway[20428](nux.saas.nsw.edu.au) depth=1/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au
## SSLway[20428](nux.saas.nsw.edu.au) depth=0/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org
## SSLway[20424](nux.saas.nsw.edu.au) depth=2/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-ROOT/Email=webmaster@saas..au
## SSLway[20424](nux.saas.nsw.edu.au) depth=1/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au
## SSLway[20424](nux.saas.nsw.edu.au) depth=0/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org
## SSLway[20422](nux.saas.nsw.edu.au) depth=2/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-ROOT/Email=webmaster@saas..au
## SSLway[20422](nux.saas.nsw.edu.au) depth=1/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au
## SSLway[20422](nux.saas.nsw.edu.au) depth=0/-1 0:"ok"
/C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org
## SSLway[20426](nux.saas.nsw.edu.au) client's cert. =
**subject<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>>
**issuer<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au>>
04/25 15:18:38.69 [20425] 3+0: Proxy: host=nux.saas.nsw.edu.au;
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686); DIRECT
04/25 15:18:38.69 [20425] 3+0: HCKA:[0] Keep-Alive;
host=nux.saas.nsw.edu.au; (User-Agent: Mozilla/4.76 [en] (X11; U; Linux
2.2.17-14 i686))
04/25 15:18:38.69 [20425] 3+0: ***
/_derived/leadteac.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/leadteac.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.69 [20425] 3+0: REQUEST - GET
/_derived/leadteac.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.69 [20425] 3+0: ***
/_derived/leadteac.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/leadteac.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.69 [20425] 3+0: REQUEST +M
http://203.28.124.13/_derived/leadteac.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.69 [20425] 3+0: PATH>
http://203.28.124.13:80!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4513!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:38.69 [20425] 3+0: REQUEST = [http://203.28.124.13/] GET
/_derived/leadteac.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.69 [20425] 3+0: XHost: (0,0,1) 203.28.124.13 <=
tls.saas.nsw.edu.au
## SSLway[20428](nux.saas.nsw.edu.au) client's cert. =
**subject<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>>
**issuer<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au>>
04/25 15:18:38.74 [20427] 4+0: Proxy: host=nux.saas.nsw.edu.au;
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686); DIRECT
04/25 15:18:38.74 [20427] 4+0: HCKA:[0] Keep-Alive;
host=nux.saas.nsw.edu.au; (User-Agent: Mozilla/4.76 [en] (X11; U; Linux
2.2.17-14 i686))
04/25 15:18:38.74 [20427] 4+0: ***
/_derived/events.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/events.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.74 [20427] 4+0: REQUEST - GET
/_derived/events.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.74 [20427] 4+0: ***
/_derived/events.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/events.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.74 [20427] 4+0: REQUEST +M
http://203.28.124.13/_derived/events.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.74 [20427] 4+0: PATH>
http://203.28.124.13:80!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4514!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:38.74 [20427] 4+0: REQUEST = [http://203.28.124.13/] GET
/_derived/events.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.74 [20427] 4+0: XHost: (0,0,1) 203.28.124.13 <=
tls.saas.nsw.edu.au
## SSLway[20424](nux.saas.nsw.edu.au) client's cert. =
**subject<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>>
**issuer<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au>>
04/25 15:18:38.78 [20423] 2+0: Proxy: host=nux.saas.nsw.edu.au;
User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.2.17-14 i686); DIRECT
04/25 15:18:38.78 [20423] 2+0: HCKA:[0] Keep-Alive;
host=nux.saas.nsw.edu.au; (User-Agent: Mozilla/4.76 [en] (X11; U; Linux
2.2.17-14 i686))
04/25 15:18:38.78 [20423] 2+0: ***
/_derived/deputy.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/deputy.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.78 [20423] 2+0: REQUEST - GET
/_derived/deputy.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.78 [20423] 2+0: ***
/_derived/deputy.htm_cmp_n110_gbtn.gif =>
http://203.28.124.13/_derived/deputy.htm_cmp_n110_gbtn.gif ***
04/25 15:18:38.78 [20423] 2+0: REQUEST +M
http://203.28.124.13/_derived/deputy.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.78 [20423] 2+0: PATH>
http://203.28.124.13:80!gw.saas.nsw.edu.au:443!nux.saas.nsw.edu.au:4512!anonymous@nux.saas.nsw.edu.au;988175914
04/25 15:18:38.78 [20423] 2+0: REQUEST = [http://203.28.124.13/] GET
/_derived/deputy.htm_cmp_n110_gbtn.gif HTTP/1.0^M
04/25 15:18:38.78 [20423] 2+0: XHost: (0,0,1) 203.28.124.13 <=
tls.saas.nsw.edu.au
## SSLway[20422](nux.saas.nsw.edu.au) client's cert. =
**subject<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=Roger
Buck/Email=peecabdyi-y44oklg5zdjr.ml@ml.delegate.org>>
**issuer<</C=AU/ST=NSW/L=Sydney/O=S.A.A.S./OU=ITDept/CN=SAAS-AUTH/Email=webmaster@saas..au>>

[--snip--]

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V