[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] pain of joining hkps -- reverse proxy config in apache issue

From: Nat Howard
Subject: [Sks-devel] pain of joining hkps -- reverse proxy config in apache issue with ""
Date: Fri, 8 Nov 2013 15:33:54 -0500

Okay, so I get my SSL certificate so I can (in theory) do hkps -- thanks Kristian!    I do all the magic, so that things appear to work fine -- for example: 

curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem ""

Gets me a reasonable return.    I can do the appropriate thing with the GPG Key manager and retrieve keys, and I'm clearly talking SSL.   I'm done, right?

Unfortunately, I made the mistake of asking Kristian if I was done now.   And his answer was, "Make sure to setup the vhost for"
and he was kind enough to give me the exact command that should work:

 curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:'   ""

Unfortunately, after several hours of trying "plausible" stuff with my apache (Server version: Apache/2.4.6 (FreeBSD) Server built:   Sep  1 2013 20:55:47)  reverse-proxy setup, this still does not work.   

Here's the response: 

$  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:'   ""
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />

And in the httpd-error log, I see: 

[Fri Nov 08 20:05:08.463086 2013] [ssl:error] [pid 6293] AH02032: Hostname provided via SNI and hostname provided via HTTP are different.

Here's a sample of the vhosts I've been creating (at the moment, there are three of these, with "ServerName" set to, and an internal name) :

<VirtualHost *:443>
    SSLEngine On
    SSLStrictSNIVHostCheck off
    SSLProxyEngine On
#    ProxyRequests Off
# Local (WiTopia) Server Cert info for all 443 hosts on this system
# (prod00.keyserver.dca)
SSLCertificateFile /usr/local/etc/apache24/publickey/actual_keys/
SSLCertificateKeyFile /usr/local/etc/apache24/publickey/actual_keys/
#    SSLCertificateChainFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem
SSLCACertificateFile /usr/local/etc/apache24/publickey/actual_keys/sks-keyservers.netCA.pem

#    CustomLog /dev/null common
    <Proxy *>
            Order deny,allow
            Allow from all
    ProxyPass /
    ProxyPassReverse /
    # include the Via: to get on the right list.
    ProxyVia Full
    SetEnv proxy-nokeepalive 1

Now, the interesting thing is, if I change the curl command just a little bit, so it uses the "-H" arg with "" instead of "", I get a "correct" response -- that is, my stats in HTML, and no messages in the log file.   That is: this works: 

  curl --cacert $HOME/.gnupg/sks-keyservers.netCA.pem -H'Host:'  ""

I've tried creating two VirtualHosts with ServerName set to in one and "" in the other.  I've tried "ServerAlias".  I've tried "ProxyPreserveHost On" and leaving it off.    I feel reasonably sure that there's some simple "map '' to ''" directive, but I've yet to find it.

I'd love to let people try it, but as I say, I'd rather not leave the port open.    Does anyone have any suggestions?   

 I noticed that some of you in the "hkps green zone" on the status page *also* don't have this working (I won't name names!).   In fact, almost all of the ones I tried didn't have this working (Yes, I changed the https name as appropriate in the curl command).   However congratulations to -- 

curl --cacert /Users/nrh/.gnupg/sks-keyservers.netCA.pem '-HHost:' ''

results in perfectly good information.   How'd you guys do it?

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

reply via email to

[Prev in Thread] Current Thread [Next in Thread]