Re: url proxying

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Kirst,
thanks for your assistance.
I exported the keystore file on remoteserver:

keytool -export -alias tomcat -rfc >  tomcat.pem
I then ftp'ed tomcat.pem to proxy server (apache) to run c_rehash as root on the ssl/ directory.

A link was created:
cc5d41ae.0 -> tomcat.pem

When doing
openssl s_client -CApath /path/to/ca/certificates -connect remoteserver:8443

The CN displays the remoteserver

CONNECTED(00000004)
…
---
Certificate chain
…
---
Server certificate
-----BEGIN CERTIFICATE-----
..
---
No client certificate CA names sent
---
SSL handshake has read 1136 bytes and written 282 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 480357285859DB7A420754C6062AE334E398F8C90064E0B8E39F6C7F21753DB4
    Session-ID-ctx:
    Master-Key: BDD6FAE6136A55CE4AA4F5050ED22E318131264E2857E37D917CEF28C51094280768177BE7EC9C1044109670B44CCE61
    Key-Arg   : None
    Start Time: 1208178472
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
 
But When I GET the page, nothing is returned.

Any idea?
thanks


--- On Mon, 14/4/08, Krist van Besien <krist.vanbesien@xxxxxxxxx> wrote:

> From: Krist van Besien <krist.vanbesien@xxxxxxxxx>
> Subject: Re:  url proxying
> To: users@xxxxxxxxxxxxxxxx, melanie_pfefer@xxxxxxxxxxx
> Date: Monday, 14 April, 2008, 1:47 PM
> On Sun, Apr 13, 2008 at 11:32 PM, Melanie Pfefer
> <melanie_pfefer@xxxxxxxxxxx> wrote:
> > hi Kirst, all,
> >
> >  To use c_rehash, I must have .pem and .crt files.
> Correct me if I am worong please. The remote server has a
> self-signed certificate that was generated using keytool
> (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) so
> the file generated is .keytool. Should I generate .pem and
> .crt files to run c_rehash? If so, how?
> 
> You can export your certificate using keytool, like this:
> 
> keytool -export -alias tomcat -rfc >   tomcat.pem
> 
> The "-rfc" option is important, as this exports a
> PEM certicate.
> If your keystore is in a different location you need to add
> the
> -keystore <keystorefile> option. If your tomcat
> server uses a
> certificate with a different alias modify the -alias
> parameter.
> 
> For proxying via apache to work it is important that the
> certicate
> passes all the tests. Normally when you connectyour browser
> to a https
> server with a self signed certificate, or when something
> else is wrong
>  a dialog will pop up telling you what is wrong and giving
> you the
> option to go ahead and connect anyway. You must understand
> that since
> apache will connect to the https server in an
> non-interactive way
> there is no-one to confirm apache it is ook to proceed.
> Therefore the
> certificate must pass all the test.
> 1) The common name of the certificate must be identical to
> the name
> used in the URL.
> 2) The certificate must still be valid.
> 3) The signature must verify as OK.
> 
> 1 &2 you take care of when you generate the
> certificate. 3) you take
> care of on the apache side, by putting the self signed cert
> in the
> cacerts dir.
> 
> >  On another front, I understand from you that I can
> having apache as a proxy server that talks SSL witht the
> backend and non-ssl with the end user (in URL, the user
> puts http not https even if the backend server is accessed
> via https). Correct me if I am wrong please.
> 
> You can indeed do this. I have one server who does exactly
> this.
> 
> Krist
> 
> 
> -- 
> krist.vanbesien@xxxxxxxxx
> krist@xxxxxxxxxxxxx
> Bremgarten b. Bern, Switzerland
> --
> A: It reverses the normal flow of conversation.
> Q: What's wrong with top-posting?
> A: Top-posting.
> Q: What's the biggest scourge on plain text email
> discussions?
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for
> more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest:
> users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail:
> users-help@xxxxxxxxxxxxxxxx


      ___________________________________________________________ 
Yahoo! For Good helps you make a difference  

http://uk.promotions.yahoo.com/forgood/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux