Article delegate-en/3665 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3661@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Questions about SSLway
21 Mar 2007 08:29:50 GMT "Kwis Angelo" <phyhabdyi-e6yeroba2xtr.ml@ml.delegate.org>


Hi Yutaka,

I think I have found the right parameter to run Delegate with the right
client certificate.  But we had some problems when establishing a session
with the HTTPS site;

====================================================================

$/delegated -v -P$DELEDATE_LISTNER_PORT SERVER=http STLS="fsv,sslway -Vrfy
-CAfile pems/CA.crt -cert pems/ggs-delegate.crt -key
pems/ggs-delegate.key-pass pass:1234" MOUNT="/* $HTTPS_HOST_URL/*"
RES_WAIT=0 ADMINPASS=gemuser
DGROOT=/opt/delegate951

 $ 03/20 17:42:27.33 [22869] 7+0: -- Fork(SequentialServer): 22840 -> 22869
03/20 17:42:27.34 [22869] 7+1: (0) accepted [21] -@[192.168.11.116]OTA1:46004
(0.006s)(1)
03/20 17:42:27.34 [22869] 7+1: Proxy: host=OTA1; User-Agent: ; DIRECT
03/20 17:42:27.34 [22869] 7+1: HCKA:[0] close; host=OTA1; (User-Agent: )
03/20 17:42:27.34 [22869] 7+1: REQUEST - GET
/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
HTTP/1.1^M
03/20 17:42:27.34 [22869] 7+1: ***
/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
=>
https://winapi.wireless.co.id/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555***
03/20 17:42:27.34 [22869] 7+1: REQUEST +M
https://winapi.wireless.co.id/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555HTTP/1.1^M
03/20 17:42:27.34 [22869] 7+1: ***
/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
=>
https://winapi.wireless.co.id/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555***
03/20 17:42:27.34 [22869] 7+1: PATH>
https://winapi.wireless.co.id:443!OTA1:8077!OTA1:46004!anonymous@OTA1;1174387347
03/20 17:42:27.34 [22869] 7+1: REQUEST = [https://winapi.wireless.co.id:443/]
GET
/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
HTTP/1.1^M
03/20 17:42:27.34 [22869] 7+1: XHost: (0,0,1) winapi.wireless.co.id <=
192.168.11.116:8077
03/20 17:42:27.34 [22869] 7+1: ConnectToServer connected [14] {
192.168.11.110:443 <- 192.168.11.116:46063} [0.000s]
03/20 17:42:27.34 [22869] 7+1: willSTLS_SV: ServerFlags=30
03/20 17:42:27.34 [22869] 7+1: HTTP => (winapi.wireless.co.id:443) GET
/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
HTTP/1.1^M
03/20 17:42:27.34 [22869] 7+1: ERROR: not end with CRLF: <!DOCTYPE HTML
PUBLIC "-//IETF//DTD HTML 2.0//EN">
03/20 17:42:27.34 [22869] 7+1: ## badServer! RESP: BQ=0+0 51: <!DOCTYPE HTML
PUBLIC "-//IETF//DTD HTML 2.0//EN">
03/20 17:42:27.34 [22869] 7+1: #HT11 close svsokcs[15,19]
03/20 17:42:27.34 [22869] 7+1: ## badServer: Server[RESP/0ms][<!DOCTYPE HTML
PUBLIC "-//IETF//DTD HTML 2.0//EN">]
Request[0+0][GET/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555
HTTP/1.1^M
Host: 192.168.11.116:8077^M
Connection: close^M
HTTP_X_X509_SUBJECT: 628811012100^M
^M
]
03/20 17:42:27.34 [22869] 7+1/1: disconnected [21] -@[192.168.11.116]OTA1:46004
(0.015s)(0)
OTA1 - - [20/Mar/2007:17:42:27 +0700] "GET
https://winapi.wireless.co.id/WinFacadeWeb/SmsServicesServlet?SMS%5fserviceName=get%5ftransactions&SMS%5fsourceMsisdn=628811012100&SMS%5fpin=5555HTTP/1.1"
502 0 0*
0.000+0.000:B:0-
03/20 17:42:27.35 [22869] 7+1: StickyServer done
[nonStickyProtocol(http:https:https)] 1 req / 1 conn / 0 sec

====================================================================


Then the HTTPS Site vendor told us that the problem above were due to some
errors with our SSL Session, so we did the following to verify...

=====================================================================

*$/usr/local/ssl/bin/openssl s_client -connect winapi.wireless.co.id:443-CAfile
CA.crt -cert ggs-delegate.crt -key ggs-delegate.key -state*
Enter pass phrase for ggs-delegate.key:
CONNECTED(00000004)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=1 /C=IL/ST=Shefayim/L=Shefayim/O=Trivnet
Ltd./OU=CS/CN=TrivnetCA/emailAddress=support@trivnet..
verify return:1
depth=0 /C=ID/ST=Jakarta/L=Jakarta/O=PrimaCell
Ltd./OU=Billing/CN=winapi.wireless.co.id/emailAddress=support@wireless..id
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:failed in SSLv3 read finished A
23751:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:

=====================================================================

But when we force openSSL to use SSLV2, it works fine!  We are using a
Solaris9 OS.
We are quite puzzled because using SSLV3 on a Solaris10 works well...so now
it seems that the problem is isolated to Solaris9...

At this point, we are forced to use the Solaris9 machine to install
Delegate.  Now my question is...is there a way to force Delegate to use
SSLV2 ?

If you have experienced SSLV3 errors on Solaris9, it would be really be a
big help if you can share some insights on it too.....

Thanks,
Chris



On 3/18/07, Kwis Angelo <phyhabdyi-e6yeroba2xtr.ml@ml.delegate.org> wrote:
>
> Hi Yutaka,
>
> Thanks for your response.
>
> I have another question to ask you.  The SSL site for which we want to
> establish a session with, wanted to do a client authentication.  How do we
> generate a client certificate for Delegate?  And how do we instruct Delegate
> to send this certificate to the SSL server during authentication?
>
> Thanks again!
> Chris
>
>
> On 3/10/07, Yutaka Sato <feedback@delegate.org> wrote:
> >
> > Hi,
> >
> > In message <_A3646@delegate-en.ML_>
> > on 03/09/07(18:40:30)
> > you "Kwis Angelo" < kwis.angelo@gmail.com> wrote:
> > |I just downloaded Delegate 9.5.1 source and compiled it on Suse Linux
> > 8.
> > |
> > |I then ran Delegate with the following command:
> > |
> > |./delegated -v -P8081 SERVER=http FSV=sslway MOUNT="/* https://host/*"
> > |
> > |The process started properly and after some tests, I can confirm that
> > |protocol conversion between HTTP and HTTPS is actually being performed
> > fine
> > |:-)
> > |
> > |I have however some questions:
> > |
> > |1.) From the SSL-related article "http://www.delegate.org/delegate/ssl/",
> > it
> > |says there that to use sslway, one must do a  "make -f Makefile.gosslway"
> > |at filters/ directory, and then put the sslway executable in
> > "DGROOT/lib".
> > |I didn't actually do this -- I straight out ran Delegate with the
> > command I
> > |stated above.  I thought that not having sslway would somehow cause SSL
> > not
> > |to work.  But it did work fine.  Can you please calrify?
> >
> > As written in the top of page, the document is obsoleted and you should
> > read
> > <URL:http://www.delegate.org/delegate/tls/ >
> > DeleGate after 9.0.1 does not need sslway as a external command but it
> > uses the
> > built-in version by default, and has a default certificate built into it
> > too.
> >
> > |2.) How do I instruct Delegate not to establish sessions with HTTPS
> > sites
> > |not having a trusted Root CA?
> >
> > For example, put the CA's certicicate at DGROOT/etc/pems/cacert.pem and
> > use
> > it for verification as follows:
> >
> >   FSV="sslway -Vrfy -CAfile pems/cacert.pem"
> >
> > Cheers,
> > Yutaka
> > --
> >   9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
> > ( ~ )  National Institute of Advanced Industrial Science and Technology
> > _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> > Do the more with the less -- B. Fuller
> >
>
>


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V