CSCG / shellinabox

Automatically exported from code.google.com/p/shellinabox
Other
0 stars 0 forks source link

Is it possible to get it to send a certificate authority chain? #4

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Start with certificate which requires intermediate certs.
2. Open with browser that doesn't have those certs.
3. Browser fails.  I tried concatenating them in the pem...

What is the expected output? What do you see instead?

Browser should be able to access the chain to the one it trusts.

What version of the product are you using? On what operating system?

SVN tip, ubuntu 8.10

Please provide any additional information below.

In, i.e., apache, I can use, i.e., SSLCertificateChainFile...

Original issue reported on code.google.com by TomOeh...@gmail.com on 17 Mar 2009 at 3:07

GoogleCodeExporter commented 9 years ago
I'm going to try having apache do the SSL and either do the cgi-bin thing or 
more
likely try to do a mod-proxy proxy-pass thing, if apache can take it in as an 
SSL
request and then proxy forward a regular HTTP request, that would be perfect, 
since
apache is on the machine, and already handles the CA certificate chain stuff 
that
shellinabox doesn't seem (to my limited experience) to do, and since the cgi-bin
setuid root way is scary.  Since I don't really have any other https needs I 
was just
making the router forward 443 to 4200 (when I tried to launch with 443, I got an
error- does it try to bind to the port after it drops root privileges?  That 
might be
a different issue...)...  If I have time I'll look at how the certificate chain 
stuff
works and try to help.  BTW, great job, I used to use the java one, my job 
recently
got uptight about me running SSH over 443 out their firewall, and this is the 
perfect
thing at the perfect time.

Original comment by TomOeh...@gmail.com on 18 Mar 2009 at 12:38

GoogleCodeExporter commented 9 years ago
Proxy'ing through Apache should work, although I haven't tried it myself. And 
there
might be performance issues, depending on how smart Apache is about keeping
connections open. Please report back on what you discover.

I know what needs to be done for chained certificates. It's not incredibly
complicated, but it needs maybe an hour or two of work and testing. Testing is 
going
to be a little tricky, as I don't have any chained certificates available right 
now.
I'll probably send you a version to play with, once I have the code ready. But 
it
could be a couple of days before I get to doing that.

Yes, I know that you cannot bind to privileged ports. I think, it's easy to 
fix. It
just hadn't come up as a particularly important issue. If it bothers you, feel 
free
to open a new issue and I'll eventually submit a fix.

Original comment by zod...@gmail.com on 18 Mar 2009 at 4:02

GoogleCodeExporter commented 9 years ago
I'll create a chain of certs for you if need be, when I get to it.

Original comment by TomOeh...@gmail.com on 18 Mar 2009 at 8:09

GoogleCodeExporter commented 9 years ago
I turned on mod proxy and it works fine.  As a side effect, my personal need for
chained certificate support is gone.  I stuck in a:

ProxyPass /shell/ http://localhost:4200/
ProxyPassReverse /shell/ http://localhost:4200/

and Bob's your uncle...

Original comment by TomOeh...@gmail.com on 19 Mar 2009 at 4:23

GoogleCodeExporter commented 9 years ago
SVN now has support for chained certificates. Please re-open the issue if you 
discover any problems with it.

Original comment by zod...@gmail.com on 29 Mar 2009 at 9:55