Article delegate-en/4575 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4574@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: how to implement SNI on https? detailed instruction please.
21 Sep 2009 05:31:38 GMT David Wang <p2eiqbdyi-re5dixw3ohtr.ml@ml.delegate.org>


Does 9.9.3 support it? and how can I re-compile it with openssl0.9.8g? what
i did is downloading the ssl lib from
ftp://ftp.delegate.org/pub/DeleGate/bin/linux/sslway/dglibssl.so.gz,
uncompress it and replace /lib/libssl.so.0.9.7a, then re-compile from the
source via run ~delegate9.93/make. Is it correct?
when i run the delegate as the server pasted the command from yours, it
seems not up, the logs:
/bin/delegated -P999 -fv SERVER=https STLS=fcl TLSCONF=-vd
09/21 15:13:09.84 [7954] 0+0: --- [crypto] 0 dglibcrypto.so
09/21 15:13:09.85 [7954] 0+0: --- [crypto] 0 libcrypto.so.0.9.8
09/21 15:13:09.85 [7954] 0+0: --- [/usr/lib/libcrypto.so]
09/21 15:13:09.85 [7954] 0+0: --- [crypto] 8D314A0 /usr/lib/libcrypto.so
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional: SSL_set_SSL_CTX
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional: SSL_get_servername
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional: SSL_get_servername_type
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional: SSL_CTX_callback_ctrl
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional:
SSL_CTX_use_certificate_chain_file
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional:
SSL_CTX_set_session_id_context
09/21 15:13:09.85 [7954] 0+0: --- [crypto] optional:
SSL_CTX_set_generate_session_id
09/21 15:13:09.85 [7954] 0+0: ---- [crypto] loaded 102 syms, unknown=47+7,
already=0
09/21 15:13:09.85 [7954] 0+0: --- [ssl] 0 dglibssl.so
09/21 15:13:09.85 [7954] 0+0: --- [ssl] 0 libssl.so.0.9.8
09/21 15:13:09.86 [7954] 0+0: --- [/usr/lib/libssl.so]
09/21 15:13:09.86 [7954] 0+0: --- [ssl] 8D32CB8 /usr/lib/libssl.so
09/21 15:13:09.86 [7954] 0+0: ---- [ssl] loaded 102 syms, unknown=0+0,
already=0
09/21 15:13:09.86 [7954] 0+0: +++ loaded OpenSSL 0.9.8g 19 Oct 2007
09/21 15:13:09.86 [7954] 0+0: ... testing resolver[SYS] with '
WWW.DeleGate.ORG'
09/21 15:13:09.86 [7954] 0+0: ... you can suppress this test by RES_WAIT=0
09/21 15:13:09.86 [7954] 0+0: ... gethostname(xx.xx.xx)
09/21 15:13:09.86 [7954] 0+0: configuring default RESOLV ...
09/21 15:13:09.86 [7954] 0+0: ... gethostname()='xx.xx.xx'
09/21 15:13:09.86 [7954] 0+0: ... SYS: xx.xx.xx -> 127.0.0.1
09/21 15:13:09.87 [7954] 0+0: ... DNS: 127.0.0.1 -> localhost
09/21 15:13:09.87 [7954] 0+0: ... DNS available
09/21 15:13:09.87 [7954] 0+0: ... NIS not available (no default domain)
09/21 15:13:09.87 [7954] 0+0: ... export RES_ORDER=CFD
09/21 15:13:09.87 [7954] 0+0: {R}
confid(detected)[9400be67aeb6c594fa43f818804974f0]<-[]
09/21 15:13:09.87 [7954] 0+0: export RESOLV=cache,file,dns (set by default)
SRCSIGN=
BLDSIGN=
09/21 15:13:09.87 [7954] 0+0: --INITIALIZATION START-09092115+1000: 9.9.3 on
Linux/2.6.9-22.EL--
09/21 15:13:09.87 [7954] 0+0: EXECDIR=/var/spool/delegate-nobody/etc/../bin
09/21 15:13:09.87 [7954] 0+0: BINSHELL=/bin/sh
09/21 15:13:09.87 [7954] 0+0: MAXIMA=delegated:12 for small mem=60M
09/21 15:13:09.87 [7954] 0+0: scan STLS and FILTERS before beDaemon()...
09/21 15:13:09.87 [7954] 0+0: STLS -> CMAP="sslway:FCL:starttls"
09/21 15:13:09.88 [7954] 0+0: --- [z] 0 dglibz.so
09/21 15:13:09.88 [7954] 0+0: --- [z] 0 libz.so.0.9.8
09/21 15:13:09.88 [7954] 0+0: --- [/usr/lib/libz.so]
09/21 15:13:09.88 [7954] 0+0: --- [z] 8D32450 /usr/lib/libz.so
09/21 15:13:09.88 [7954] 0+0: --- [z] optional: gziocallback
09/21 15:13:09.88 [7954] 0+0: ---- [z] loaded 17 syms, unknown=0+1,
already=0
09/21 15:13:09.88 [7954] 0+0: +++ loaded Zlib 1.2.1.2
09/21 15:13:09.88 [7954] 0+0: #### gzip/gunzip = dynamically linked
09/21 15:13:09.88 [7954] 0+0: ## SSLway CFI_TYPE=FCL: -ac is assumed
09/21 15:13:09.88 [7954] 0+0: ## SSLway start
09/21 15:13:09.88 [7954] 0+0: ## SSLway new ctx #2088594664 8D3F318
7954:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('server-cert.pem','r')
7954:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
7954:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system
lib:ssl_rsa.c:720:
09/21 15:13:09.89 [7954] 0+0: ## SSLway certfile not found or wrong:
server-cert.pem [at /var/spool/delegate-nobody/etc]
09/21 15:13:09.89 [7954] 0+0: ## SSLway keyfile not found or wrong:
server-key.pem [at /var/spool/delegate-nobody/etc]
09/21 15:13:09.89 [7954] 0+0: ## SSLway key does not match cert:
server-key.pem server-cert.pem
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- Using Default Certificate
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- set saveCtx fd=-1
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.000012 start
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.000019 init done
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.000298 begin args
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.000300 end args
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.000759 end rand_seed
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.001052 start con/acc
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.001054 before ssl_new
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.005427 after ssl_new
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.005817 before loadContext
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.010892 after loadContext
09/21 15:13:09.89 [7954] 0+0: ## SSLway -- 0.010951 start relay ...
09/21 15:13:09.89 [7954] 0+0: ## SSLway initialized ctx #2088594664 0 0
09/21 15:13:09.90 [7954] 0+0: server_open(delegate,:999,listen=20)
09/21 15:13:09.90 [7954] 0+0: server_open(delegate,:999) BOUND
09/21 15:13:09.90 [7954] 0+0: DGROOT=/var/spool/delegate-nobody^M
09/21 15:13:09.90 [7954] 0+0: <DeleGate/9.9.3> [7954] -P999 READY^M
09/21 15:13:09.90 [7954] 0+0: HostID: No-HostId-Available
<DeleGate/9.9.3> [7954] -P999 READY
Config: Linux/2.6.9-22.EL; FileSize-Bits=32/64,32/32,32,32;
socket=87380/16384,++NAT; sockpair=110592/110592,1002++U; char=signed;
thread=PThread/pthread; stty=tcsetattr; fmem=4/60/321M
DGROOT=/var/spool/delegate-nobody
ADMIN=admin@xx..xx
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2009 National Institute of Advanced Industrial Science
and Technology (AIST)
BLDSIGN=9.9.3:20090914112256+1000:6ba6075851b07162:admin@xx..xx:-
HostID: No-HostId-Available
Loaded: OpenSSL 0.9.8g 19 Oct 2007
Loaded: Zlib 1.2.1.2
09/21 15:13:09.91 [7954] 0+0: PORT= 999/9 (3,231)
09/21 15:13:09.91 [7954] 0+0: OWNER=nobody =>
OWNER=nobody/nobody(nobody/nobody)
09/21 15:13:09.91 [7954] 0+0: STLS -> CMAP="sslway:FCL:starttls"
09/21 15:13:09.91 [7954] 0+0: default netmask 127.0.0.1/. = FFFFFF00
09/21 15:13:09.91 [7954] 0+0: REMITTABLE =
http,https/{80,443},gopher,ftp,wais
09/21 15:13:09.91 [7954] 0+0: ADMIN=admin@xx.xx.xxprotocol=https(specialist)
09/21 15:13:09.92 [7954] 0+0: #### CACHE DISABLED #### Cache directory seems
not exist: /var/spool/delegate-nobody/cache
09/21 15:13:09.92 [7954] 0+0: MOUNT[0]X[2] /-/builtin/icons/* = default
09/21 15:13:09.92 [7954] 0+0: MOUNT[1]X[3] /-/* =
forbidden,from=!.RELIABLE,default
09/21 15:13:09.92 [7954] 0+0: MOUNT[2]X[0] /-* = default
09/21 15:13:09.92 [7954] 0+0: MOUNT[3]X[1] /=* = default
09/21 15:13:09.92 [7954] 0+0: MOUNT[4]=[4] /favicon.ico
builtin:icons/ysato/default.ico default,direction=fo,onerror=404,expires=15m
09/21 15:13:09.92 [7954] 0+0: Stay open PIDFILE for accept() lock[fd=13]
09/21 15:13:09.92 [7954] 0+0: StickyReport[14,15]127.0.0.127:65535><
127.0.0.127:65535 110592/110592 110592/110592
09/21 15:13:09.92 [7954] 0+0: env[25]
LIBPATH=.;/var/spool/delegate-nobody/etc;/var/spool/delegate-nobody/lib;/var/spool/delegate-nobody/etc/../bin;/var/spool/delegate-nobody/etc
09/21 15:13:09.92 [7954] 0+0: env[29] RESOLV=cache,file,dns
09/21 15:13:09.92 [7954] 0+0: arg[3] SERVER=https
09/21 15:13:09.92 [7954] 0+0: arg[4] STLS=fcl
09/21 15:13:09.92 [7954] 0+0: arg[5] TLSCONF=-vd
09/21 15:13:09.92 [7954] 0+0: DELEGATE_Modified[0]: 4ab709ea 1253509610
09/21 15:13:09.92 [7954] 0+0: --INITIALIZATION DONE-09092115+1000: 9.9.3 on
Linux/2.6.9-22.EL--
09/21 15:13:09.92 [7954] 0+0: logMMap: B7FEC000 1344
09/21 15:13:09.92 [7954] 0+0: LOG-Socketpair[20,21]

Kind regards
David
On Mon, Sep 21, 2009 at 2:57 PM, Yutaka Sato <feedback@delegate.org> wrote:

> In message <_A4573@delegate-en.ML_>
> on 09/21/09(09:27:52)
> you David Wang <p2eiqbdyi-re5dixw3ohtr.ml@ml.delegate.org> wrote:
>  |STLS=mitm is followed by your notes, after your explanation, yes, we
> should
>  |configure it to be STLS=fcl. Yes, I know the SNI should be supported by
>  |browser as well. we are using Firefox 3.0.13 to test it. I just tested it
>  |with STLS=fcl, the certificate is still using the delegate host's (
>  |portal.abc.com), rather than our customer's (portal.xyz.com) even i have
>  |moved both certificate and key files for each domain into that CERTDIR
>  |folder.
>
> The following is a simple way to test SNI with DeleGate.
>
> 1) run a DeleGate as a HTTPS/SSL server
>
>  % delegated -P9999 -fv SERVER=https STLS=fcl TLSCONF=-vd
>
> 2) access the server from a HTTPS/SSL client
>
>  open "https://localhost.localdomain:9999" by a browser or by DeleGate as:
>  % delegated FSV=sslway https://localhost.localdomain:9999
>
>  [the LOGFILE of DeleGate]
>  --
>  09/21 13:44:14.50 [6387] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
>  09/21 13:44:14.50 [6387] 1+1: ## SSLway CFI_SYNC send start [23]
>  09/21 13:44:14.50 [6387] 1+1: ## SSLway start
>  09/21 13:44:14.51 [6387] 1+1: ## SSLway reuse ctx #2088594664 C0A3B0
>  09/21 13:44:14.51 [6387] 1+1: ## SSLway 201FC00 loadSession 0.000133 (0 0)
> / -1
>  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: recv
> localhost.localdomain
>  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain
> NOT-FOUND
>  09/21 13:44:14.51 [6387] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain
> NOT-FOUND: DONT-CARED
>  --
>  *** it says there is no cert. for the domain but ignored ***
>
> 3) put a certificate file for SNI into DGROOT/etc/certs
>
>   % cp xxx/yyy.pem etc/certs/sn.localhost.localdomain.pem
>   % ls -l etc/certs
>   -rw-r--r--   1 yutaka  yutaka  2278 Sep 21 13:35
> sn.localhost.localdomain.pem
>
> 4) access the server agein
>
>  [the LOGFILE of DeleGate]
>  --
>  09/21 13:45:00.80 [6399] 1+1: ## SSLway CFI_TYPE=FCL: -ac is assumed
>  09/21 13:45:00.81 [6399] 1+1: ## SSLway CFI_SYNC send start [23]
>  09/21 13:45:00.81 [6399] 1+1: ## SSLway start
>  09/21 13:45:00.81 [6399] 1+1: ## SSLway reuse ctx #2088594664 C0A2B0
>  09/21 13:45:00.81 [6399] 1+1: ## SSLway 2021000 loadSession 0.000446 (0 0)
> / -1
>  09/21 13:45:00.81 [6399] 1+1: ## SSLway -- TLSxSNI: recv
> localhost.localdomain
>  09/21 13:45:00.83 [6399] 1+1: ## SSLway -- TLSxSNI: localhost.localdomain
> [/xxx/delegate/etc/certs/sn.localhost.localdomain.pem]
>  09/21 13:45:00.84 [6399] 1+1: ## SSLway certchain loaded:
> /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
>  09/21 13:45:00.84 [6399] 1+1: ## SSLway keyfile loaded:
> /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
>  09/21 13:45:00.84 [6399] 1+1: ## SSLway TLSxSNI: localhost.localdomain
> /xxx/delegate/etc/certs/sn.localhost.localdomain.pem
>  --
>  *** it says the cert. for the domain is fund and used ***
>
> Cheers,
> Yutaka
> --
>  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V