Article delegate-en/4987 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Delegate as gateway for HTTP to HTTPS with Client Certificate
12 Jul 2011 11:33:57 GMT Kadanik Jiri <ppmjqbdyi-6rjyzcjw423r.ml@ml.delegate.org>


Hi,

I am trying to set up Delegate as gateway for HTTP clients to be able to access HTTPS server with content accessible only with client certificate. I have https server with client certs working ( tested with curl) and now I am trying to setup delegate to listen on port 8888 and change http requests on this port to https with client certificate. So I run delegate with this command:
./delegated -v -P8888 RES_WAIT=0 DGROOT="/opt/delegate/delegate9.9.7" SERVER=http CACHE=do MOUNT="/* https://10.50.27.54/*" STLS="fsv,sslway -cert /etc/httpd/CA/client/client.pem -pass password -CAfile /etc/httpd/CA/CAcert.pem"

When I run delegate with this command, I can get SSL webpage with curl:
# curl -vvv http://10.50.27.54:8888

But I cant access directory which is accessible only with client cert
# curl -vvv http://10.50.27.54:8888/withcert
*   Trying 10.50.27.54... connected
* Connected to 10.50.27.54 port 8888
> GET /withcert HTTP/1.1
> User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
> Accept: */*
>
* Empty reply from server
* Connection #0 to host "hostname" left intact
curl: (52) Empty reply from server
* Closing connection #0

And here is a log from delegate:
07/12 12:15:47.27 [21872] 1+0: -- Fork(SequentialServer): 21866 -> 21872
07/12 13:15:47.28 [21872] 1+1: (0) accepted [43] -@[10.50.27.54]"hostname":17336 (0.009s)(1)
07/12 13:15:47.28 [21872] 1+1: Proxy: host="hostname"; User-Agent: curl/7..15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5; DIRECT
07/12 13:15:47.28 [21872] 1+1: REQUEST - GET /withcert HTTP/1.1^M
07/12 13:15:47.28 [21872] 1+1: *** /withcert => https://10.50.27.54/withcert ***
07/12 13:15:47.28 [21872] 1+1: REQUEST +M https://10.50.27.54/withcert HTTP/1.1^M
07/12 13:15:47.28 [21872] 1+1: *** /withcert => https://10.50.27.54/withcert ***
07/12 13:15:47.28 [21872] 1+1: PATH> https://10.50.27.54:443!"hostname":8888!"hostname":17336!anonymous@"hostname";1310469347
07/12 13:15:47.28 [21872] 1+1: REQUEST = [https://10.50.27.54:443/] GET /withcert HTTP/1.1^M
07/12 13:15:47.28 [21872] 1+1: CACHE hostname: 10.50.27.54 -> "hostname"
07/12 13:15:47.28 [21872] 1+1: [0.00,-1][HTTP cache-NONE] /home/user/delegate/cache/https/"hostname"/withcert
07/12 13:15:47.28 [21872] 1+1: [0.00,-1][HTTP cache-NONE] /home/user/delegate/cache/https/"hostname"/withcert
07/12 13:15:47.28 [21872] 1+1: XHost: (0,0,1) 10.50.27.54 <= "hostname":8888
07/12 13:15:47.28 [21872] 1+1: ConnectToServer connected [21] {10.50.27.54:443 <- 10.50.27.54:13778} [0.000s]
07/12 13:15:47.28 [21872] 1+1: --FSVX R[https:10.50.27.54] D[https:10.50.27..54] <= [starttls/https]
07/12 12:15:47.28 [21872] 1+1: --MOUNT=1[] ["hostname"][10.50.27.54][10.50.27.54] => [10.50.27.54]
07/12 12:15:47.28 [21872] 1+1: ## SSLway Usage: -pass { file:path | pass:string }
07/12 12:15:47.31 [21872] 1+1: ## SSLway ## 0.025770 connected/accepted
07/12 12:15:47.31 [21872] 1+1: ## SSLway server's cert. = **subject<</C=CZ/ST=Prague/O=Org/CN="hostname">> **issuer<</C=CZ/ST=Prague/L=Prague/O=Org/CN=orgCA>>
07/12 13:15:47.31 [21872] 1+1: --pushPFilter (starttls/starttls) tid=DB90 [21][22] 30 BF9FE624
07/12 13:15:47.31 [21872] 1+1: willSTLS_SV[https]: ServerFlags=330 BF9FE624
07/12 13:15:47.31 [21872] 1+1: HTTP => (10.50.27.54:443) GET /withcert HTTP/1.1^M
07/12 12:15:47.33 [21872] 1+1: ## SSLway FSV S-C:0/0 C-S:190/1 SC-EOS
07/12 13:15:47.33 [21872] 1+1: HTTP relay_response: EOF at start (1 0 0.02)
07/12 13:15:47.33 [21872] 1+1: rcode=-10001 unlink /home/user/delegate/cache/https/"hostname"/withcert#LOADING (0)
07/12 13:15:47.33 [21872] 1+1: #HT11 EOF from the client (2)
07/12 13:15:47.33 [21872] 1+1: #HT11 close svsokcs[22,23]
07/12 13:15:47.33 [21872] 1+1: unlink empty cache: /home/user/delegate/cache/https/"hostname"/withcert#LOADING
07/12 13:15:47.33 [21872] 1+1: CACHE hostname: 10.50.27.54 -> "hostname"
07/12 13:15:47.33 [21872] 1+1/1: HCKA:[1] closed -- ?
07/12 13:15:47.33 [21872] 1+1/1: WaitShutdown 1/0 xpid=-1 errno=10/10 0 8 0 0.000
07/12 13:15:47.33 [21872] 1+1/1: disconnected [43] -@[10.50.27.54]"hostname":17336 (0.068s)(0)
"hostname" - - [12/Jul/2011:13:15:47 +0100] "GET https://10.50.27.54/withcert HTTP/1.1" 500 0 0*0.000+0.000:P:0?
07/12 13:15:47.33 [21872] 1+1: StickyServer done [nonStickyProtocol(http:https:https)] 1 req / 1+0/1 conn / 0 sec
07/12 13:15:47.34 [21872] 1+1: #Sig/CSC finish 364 325 P2 R0 E0 {2 r0 t0} 0/0/1


And in apache SSL log, the place where should be clent cert info is nothing:
[12/Jul/2011:13:15:47 +0200] 10.50.27.54 TLSv1 - - "GET /withcert HTTP/1.1" -
And apache ssl log for request  to place where certificate is not required:
[12/Jul/2011:13:09:26 +0200] 10.50.27.54 TLSv1 DHE-RSA-AES256-SHA - "GET / HTTP/1.1" 29

And ssl_error_log:
Request to place not requiring client cert.
[Tue Jul 12 13:09:20 2011] [error] Re-negotiation handshake failed: Not accepted by client!?
And dir with requiring client cert:
[Tue Jul 12 13:15:47 2011] [error] Re-negotiation handshake failed: Not accepted by client!?

Can I ask you for some idea where the problem can be, or if I am missing some parameters, etc.
Thanks for your time

Regards

Jiri


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V