pound how to implement Openssl SNI

[philippe_]

Hello;

This is my first post on this forum;

I have read at pound official website on their 'update June 2010' that pound is able to proceed to openssl SNI (Server Name Indication) which makes it possible to build a https reverse proxy.

Furthermore, in the pound mailing-list (in which I have been totally unable to register :O) I have read that someone accomplished this success SNI with pound. I am on Linux and my browser is sni capable as reported by this check.

However, it seems that only the last certificate specified in pound configuration file is taken in account. In fact, I have exactly the same problem as reported here: The first certificate is shown to the client, if it is related to the domain name, this is fine, else, no more certificate is tried and a warning is shown on the client browser.

My configuration is like this:

Code:

ListenHTTPS
  Address 172.23.1.2
  Port  443
  Cert "/etc/pound/ssl/wiki.pem"
  Cert "/etc/pound/ssl/frontend.pem"

  Service
      HeadRequire "Host: .*wiki.mydomain.net.*"
      BackEnd
          Address 192.168.0.110
          Port 8080 
      End
  End
  Service
      HeadRequire "Host: .*mydomain.net.*"
      Backend
          Address 192.168.0.103
          Port 8080
      End
  End
End

Does anyone knows how to force each certificate to be checked until a appropriate one is getting found?

Thanks a lot for your answer and help!

[pi3g]

Yes, pound supports SNI - I'm using such a setup myself.

BUT - it only supports SNI starting with version 2.6. Your problem may be related to you using an older version.

Check what version you are using. I think it can be done with

pound -V

I've compiled a package for Debian - it may be of some use for you:

http://blog.ideaday.de/max/2012/12/p...-for-debian-6/


Good luck :-)