search for: ssl_verify_client

Q1) I can't get ssl_verify_client_cert=yes working. The ssl key and cert are signed using our CA. Also the ssl_ca_file has a CRL appended (no revokes yet). Expected behavior: Stop the SSL (the client doesn't have a cert installed) Current behavior: Mail clients accepts SSL and login succeeds. (both Evolution and Thunderbird)....

...--------------------- nginx/0.6.39 I've tried the following: server { listen 8443; ssl on; ssl_certificate /etc/httpd/ssl/proxy-ssl.cer; ssl_certificate_key /etc/httpd/ssl/server.key; ssl_client_certificate /etc/httpd/ssl/ca-bundle.crt; ssl_verify_client on ............................................................................................. ............................................................................................. error_page 400 /400.html; location = /400.html { root /usr/share/nginx/html;...

...ppet/ssl/private_keys/bangvmpllda02.XXXXX.com.pem; ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; ssl_prefer_server_ciphers on; ssl_verify_client optional; ssl_verify_depth 1; ssl_session_cache shared:SSL:128m; ssl_session_timeout 5m; } } and the puppet.conf [main] # The Puppet log directory. # The default value is ''$vardir/log''. logdir = /...

...ssl and making client ssl certificate signature verification. I read the pound and the ngnix wiki article and i am a bit confused here. Lets see for nginx: ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_client_certificate /etc/puppet/ssl/ca/ca_crt.pem (and ssl_verify_client on; in the server setting) So here i took the debian default ssl config and added the last line ''ssl_client_certificate'' with the same cert used on the pound wiki. Does it make the things secure ? Could anyone clarify the security risk and how i should setup this...

...ssl_certificate /var/lib/puppet/ssl/certs/ something.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/ something.pem; ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:- EXP; ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem; ssl_verify_client on; root /var/empty; access_log /var/log/nginx/access-8140.log; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_hea...

...e /var/lib/puppet/ssl/certs/puppetmaster.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppetmaster.pem; ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem; ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; # allow authenticated and client without certs ssl_verify_client optional; # obey to the Puppet CRL ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; root /var/tmp; location / { proxy_pass http://puppet-production; proxy_redirect off; proxy_set_header Host $host; proxy_set_h...

...ssl_certificate_key /var/lib/puppet/ssl/private_keys/ loadbalancer01.pem; ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; ssl_protocols SSLv3 TLSv1; ssl_ciphers ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP; ssl_prefer_server_ciphers on; ssl_verify_client optional; ssl_verify_depth 1; access_log logs/loadbalancer01_access.log main; error_log logs/loadbalancer01_error.log; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-...

Over the years many shops have come to start running puppet via cron to address memory leaks in earlier versions of Ruby, but the official position was that puppet was meant to be run as a continually running service. I am wondering if the official position has changed. On one hand many if not all of the early Ruby issues have been fixed, on the other, the addition of mcollective into the mix as