Hello, I'm Alfredo I'm System Admin for ISP in Spain.

    I want use delegate for this scenary:
   

Client ---http--> delegate (With Cert and Key) ---- https --> Web server

 
    I have installed the delegate8.9.4 and put this configuration:

./delegated -P80  SERVER=http  FSV=sslway   -cert client.pem -key 
clientkey.pem -pass xxxxx

I put inside LIBPATH the client.pem and clientkey.pem
LIBPATH=/var/spool/delegate-nobody/lib


NOTE: IP's, Certified,Key is only for simulate scenary is not for final use.

Client: 212.64.160.134
Delegate: 212.64.160.24
Web server: 212.64.160.61



delegate Log:

05/20 17:25:34.59 [273] 0+0: configuring default RESOLV ...
05/20 17:25:34.59 [273] 0+0: ... SYS: radiator -> 212.64.160.24
05/20 17:25:34.59 [273] 0+0: ... DNS: 212.64.160.24 -> radiator.idecnet.com
05/20 17:25:34.59 [273] 0+0: ... DNS available
05/20 17:25:34.59 [273] 0+0: ... NIS not available (no default domain)
05/20 17:25:34.59 [273] 0+0: ... export RES_ORDER=CFD
05/20 17:25:34.59 [273] 0+0: export RESOLV=cache,file,dns (set by default)
05/20 17:25:34.59 [273] 0+0: --INITIALIZATION START: 8.9.4 on Linux/2.4.26--
05/20 17:25:34.59 [273] 0+0: BINSHELL=/bin/sh
05/20 17:25:34.60 [273] 0+0: server_open(delegate,:80,listen=20)
05/20 17:25:34.60 [273] 0+0: server_open(delegate,:80) BOUND
05/20 17:25:34.60 [273] 0+0: DGROOT=/var/spool/delegate-nobody^M
05/20 17:25:34.60 [273] 0+0: <DeleGate/8.9.4> [273] -P80 READY^M
<DeleGate/8.9.4> [273] -P80 READY
DGROOT=/var/spool/delegate-nobody
ADMIN=root@idecnet..
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2004 National Institute of Advanced Industrial 
Science and Technology (AIST)
05/20 17:25:34.60 [273] 0+0: PORT= 80/8 (0,80)
05/20 17:25:34.60 [273] 0+0: OWNER=nobody => 
OWNER=nobody/nogroup(nobody/nogroup)
05/20 17:25:34.60 [273] 0+0: CODECONV[1](global,tocl,EUC.JP) => EUC.JP 
[EUC-JP]
05/20 17:25:34.60 [273] 0+0: REMITTABLE = 
http,https/{80,443},gopher,ftp,wais
05/20 17:25:34.60 [273] 0+0: LIBPATH: sslway -> 
/var/spool/delegate-nobody/lib/sslway
05/20 17:25:34.60 [273] 0+0: PATH: gzip -> /bin/gzip
05/20 17:25:34.60 [273] 0+0: #### gzip = [/bin/gzip]gzip
05/20 17:25:34.60 [273] 0+0: #### gunzip = [/bin/gzip]gzip -d
05/20 17:25:34.60 [273] 0+0: ADMIN=root@idecnet.. 
protocol=http(specialist)
-delegated[273]- WARNING! ADMIN="your_mail_address" should be specified.
-delegated[273]- INFO: using ADMIN=root@idecnet.. given at compile time.
05/20 17:25:34.60 [273] 0+0: MOUNT[0]X[2] /-/builtin/icons/* = default
05/20 17:25:34.60 [273] 0+0: MOUNT[1]X[3] /-/* = 
forbidden,from=!.RELIABLE,default
05/20 17:25:34.60 [273] 0+0: MOUNT[2]X[0] /-* = default
05/20 17:25:34.60 [273] 0+0: MOUNT[3]X[1] /=* = default
05/20 17:25:34.60 [273] 0+0: #### stack size limit = 800000 (000000X)
05/20 17:25:34.60 [273] 0+0: Stay open PIDFILE for accept() lock[fd=10]
05/20 17:25:34.60 [273] 0+0: env[28] 
LIBPATH=.;/usr/src/delegate8.9.4/src;/var/spool/delegate-nobody/lib;.;/var/spool/delegate-nobody/etc
05/20 17:25:34.60 [273] 0+0: env[30] RESOLV=cache,file,dns
05/20 17:25:34.60 [273] 0+0: arg[2] SERVER=http
05/20 17:25:34.60 [273] 0+0: arg[3] FSV=sslway
05/20 17:25:34.60 [273] 0+0: gen[0] CHARCODE=EUC
05/20 17:25:34.60 [273] 0+0: DELEGATE_Modified[0]: 40acd8c4
05/20 17:25:34.60 [273] 0+0: --INITIALIZATION DONE: 8.9.4 on Linux/2.4.26--


Now I put in the browser "http://212.64.160.24"

05/20 17:26:06.21 [274] 1+0: -- Fork(SequentialServer): 273 -> 274
05/20 17:26:06.21 [274] 1+1: (0) accepted [32] 
-@[212.64.160.134]portatil.idecnet.com:3160 (0.005s)(1)
05/20 17:26:06.21 [274] 1+1: Proxy: host=portatil.idecnet.com; 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); DIRECT
05/20 17:26:06.21 [274] 1+1: HCKA:[0] Keep-Alive; 
host=portatil.idecnet.com; (User-Agent: Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.1))
05/20 17:26:06.21 [274] 1+1: REQUEST - GET / HTTP/1.1^M
05/20 17:26:06.21 [274] 1+1: PATH> 
http://212.64.160.24:80!radiator.idecnet.com:80!portatil.idecnet.com:3160!anonymous@portatil.idecnet.com;1085070366
05/20 17:26:06.21 [274] 1+1: REQUEST = [http://212.64.160.24:80/] GET / 
HTTP/1.1^M
05/20 17:26:06.21 [274] 1+1: checking delegate-internal: self=1 GET / 
HTTP/1.1^M
05/20 17:26:06.22 [274] 1+1: ####### Location: 
http://212.64.160.24:80/-/nonCERNproxy^M
05/20 17:26:06.22 [274] 1+1/1: -- discard 0+354 = 354 /354/354 Bytes of 
peeked request


Then I put "https://eawssl.idecnet.com" inside page returned from delegate

05/20 17:26:26.22 [274] 1+1/1: ClosedOnTimeout(0): 
time=1085070386/1085070396 ppid=273/273 pid=274/274
portatil.idecnet.com - - [20/May/2004:17:26:06 +0000] "GET 
http://212.64.160.24/ HTTP/1.1" 200 542 0*0.000+0.002:I:0+
05/20 17:26:58.23 [274] 1+1/1: HCKA:[1] closed -- t:timeout: 52
05/20 17:26:58.23 [274] 1+1/1: disconnected [32] 
-@[212.64.160.134]portatil.idecnet.com:3160 (52.022s)(0)
05/20 17:26:58.23 [274] 1+1: StickyServer done [serverSocketClosed] 1 
req / 1 conn / 52 sec
05/20 17:27:03.13 [275] 2+0: -- Fork(SequentialServer): 273 -> 275
05/20 17:27:03.13 [275] 2+1: (0) accepted [19] 
-@[212.64.160.134]portatil.idecnet.com:3161 (0.003s)(1)
05/20 17:27:03.13 [275] 2+1: Proxy: host=portatil.idecnet.com; 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); DIRECT
05/20 17:27:03.13 [275] 2+1: HCKA:[0] Keep-Alive; 
host=portatil.idecnet.com; (User-Agent: Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.1))
05/20 17:27:03.13 [275] 2+1: REQUEST - GET 
/-/nonCERNproxy?https%3A%2F%2Feawssl.idecnet.com HTTP/1.1^M
05/20 17:27:03.13 [275] 2+1: PATH> 
http://212.64.160.24:80!radiator.idecnet.com:80!portatil.idecnet.com:3161!anonymous@portatil.idecnet.com;1085070423
05/20 17:27:03.13 [275] 2+1: REQUEST = [http://212.64.160.24:80/] GET 
/-/nonCERNproxy?https%3A%2F%2Feawssl.idecnet.com HTTP/1.1^M
05/20 17:27:03.13 [275] 2+1: checking delegate-internal: self=1 GET 
/-/nonCERNproxy?https%3A%2F%2Feawssl.idecnet.com HTTP/1.1^M
05/20 17:27:03.14 [275] 2+1: ####### Location: 
http://212.64.160.24/-_-https://eawssl.idecnet.com^M
05/20 17:27:03.14 [275] 2+1/1: -- discard 0+447 = 447 /447/447 Bytes of 
peeked request
05/20 17:27:03.15 [275] 2+1/1: ClosedOnTimeout(0): 
time=1085070423/1085070453 ppid=273/273 pid=275/275
05/20 17:27:03.15 [275] 2+1/1: Proxy: host=portatil.idecnet.com; 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); DIRECT
05/20 17:27:03.15 [275] 2+1/1: REQUEST - GET 
/-_-https://eawssl.idecnet.com HTTP/1.1^M
05/20 17:27:03.15 [275] 2+1/1: ####### Location: 
http://212.64.160.24:80/-_-https://eawssl.idecnet.com/^M
05/20 17:27:03.15 [275] 2+1/2: -- discard 0+429 = 429 /429/429 Bytes of 
peeked request
05/20 17:27:03.16 [275] 2+1/2: Proxy: host=portatil.idecnet.com; 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); DIRECT
05/20 17:27:03.16 [275] 2+1/2: REQUEST - GET 
/-_-https://eawssl.idecnet.com/ HTTP/1.1^M
05/20 17:27:03.16 [275] 2+1/2: PATH> 
https://eawssl.idecnet.com:443!radiator.idecnet.com:80!portatil.idecnet.com:3161!anonymous@portatil.idecnet.com;1085070423
05/20 17:27:03.16 [275] 2+1/2: REQUEST = 
[https://eawssl.idecnet.com:443/] GET / HTTP/1.1^M
05/20 17:27:03.16 [275] 2+1/2: [0.00,-1][HTTP cache-NONE] 
/var/spool/delegate-nobody/cache/https/eawssl.idecnet.com/=
05/20 17:27:03.16 [275] 2+1/2: XHost: (0,1,0) eawssl.idecnet.com <= 
212.64.160.24
05/20 17:27:03.16 [275] 2+1/2: ConnectToServer connected [8] 
{212.64.160.25:443 <- 212.64.160.24:32789} [0.001s]
05/20 17:27:03.16 [276] 2+1/2: -- Fork(FSV): 275 -> 276
05/20 17:27:03.16 [276] 2+1/2: #### execFilter[FSV] 
[/var/spool/delegate-nobody/lib/sslway]sslway
05/20 17:27:03.16 [275] 2+1/2: HTTP => (eawssl.idecnet.com:443) GET / 
HTTP/1.1^M
## SSLway[276](portatil.idecnet.com) server's cert. = 
**subject<</C=ES/ST=Las Palmas/L=Las Palmas/O=eaw/OU=eaw/CN=Alfredo 
WEBSERVER/Email=info@idecnet..>> **issuer<</C=ES/ST=Las Palmas/L=Las 
Palmas/O=eaw/OU=eaw/CN=Alfredo WEBSERVER/Email=info@idecnet..>>
05/20 17:27:03.35 [275] 2+1/2: HTTP realy_response: EOF at start
05/20 17:27:03.36 [275] 2+1/2: #HT11 EOF from the server
05/20 17:27:03.36 [275] 2+1/2: #HT11 close svsokcs[16,17]
05/20 17:27:03.36 [275] 2+1/3: HCKA:[3] closed -- -
05/20 17:27:03.36 [275] 2+1/3: disconnected [19] 
-@[212.64.160.134]portatil.idecnet.com:3161 (0.226s)(0)
05/20 17:27:03.36 [277] 3+0: -- Fork(SequentialServer): 273 -> 277
05/20 17:27:03.36 [277] 3+1: (1) accepted [21] 
-@[212.64.160.134]portatil.idecnet.com:3162 (0.003s)(1)
05/20 17:27:03.37 [277] 3+1: Proxy: host=portatil.idecnet.com; 
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1); DIRECT
05/20 17:27:03.37 [277] 3+1: HCKA:[0] Keep-Alive; 
host=portatil.idecnet.com; (User-Agent: Mozilla/4.0 (compatible; MSIE 
6.0; Windows NT 5.1))
05/20 17:27:03.37 [277] 3+1: REQUEST - GET 
/-_-https://eawssl.idecnet.com/ HTTP/1.1^M
05/20 17:27:03.37 [277] 3+1: PATH> 
https://eawssl.idecnet.com:443!radiator.idecnet.com:80!portatil.idecnet.com:3162!anonymous@portatil.idecnet.com;1085070423
05/20 17:27:03.37 [277] 3+1: REQUEST = [https://eawssl.idecnet.com:443/] 
GET / HTTP/1.1^M
05/20 17:27:03.37 [277] 3+1: [0.00,-1][HTTP cache-NONE] 
/var/spool/delegate-nobody/cache/https/eawssl.idecnet.com/=
05/20 17:27:03.37 [277] 3+1: XHost: (0,1,0) eawssl.idecnet.com <= 
212.64.160.24
05/20 17:27:03.37 [277] 3+1: ConnectToServer connected [11] 
{212.64.160.25:443 <- 212.64.160.24:32790} [0.000s]
05/20 17:27:03.37 [277] 3+1: HTTP => (eawssl.idecnet.com:443) GET / 
HTTP/1.1^M
05/20 17:27:03.37 [278] 3+1: -- Fork(FSV): 277 -> 278
05/20 17:27:03.37 [278] 3+1: #### execFilter[FSV] 
[/var/spool/delegate-nobody/lib/sslway]sslway
## SSLway[278](portatil.idecnet.com) server's cert. = 
**subject<</C=ES/ST=Las Palmas/L=Las Palmas/O=eaw/OU=eaw/CN=Alfredo 
WEBSERVER/Email=info@idecnet..>> **issuer<</C=ES/ST=Las Palmas/L=Las 
Palmas/O=eaw/OU=eaw/CN=Alfredo WEBSERVER/Email=info@idecnet..>>
05/20 17:27:03.56 [277] 3+1: HTTP realy_response: EOF at start
05/20 17:27:03.57 [277] 3+1: #HT11 EOF from the server
05/20 17:27:03.57 [277] 3+1: #HT11 close svsokcs[17,18]
05/20 17:27:03.57 [277] 3+1/1: HCKA:[1] closed -- ?
05/20 17:27:03.57 [277] 3+1/1: disconnected [21] 
-@[212.64.160.134]portatil.idecnet.com:3162 (0.204s)(0)
05/20 17:27:04.55 [275] 2+1/3: CFI process remaining (1/1)
portatil.idecnet.com - - [20/May/2004:17:27:03 +0000] "GET 
http://212.64.160.24/-/nonCERNproxy?https%3A%2F%2Feawssl.idecnet.com 
HTTP/1.1" 200 554 0*0.000+0.001:I:0+
portatil.idecnet.com - - [20/May/2004:17:27:03 +0000] "GET 
http://eawssl.idecnet.com:443/ HTTP/1.1" 302 558 0*0.000+0.000:I:1+
portatil.idecnet.com - - [20/May/2004:17:27:03 +0000] "GET 
https://eawssl.idecnet.com/ HTTP/1.1" 500 0 0*0.000+0.000:P:2-
05/20 17:27:04.55 [275] 2+1: StickyServer done 
[nonStickyProtocol(http:https:https)] 3 req / 1 conn / 1 sec
05/20 17:27:04.76 [277] 3+1/1: CFI process remaining (1/1)
portatil.idecnet.com - - [20/May/2004:17:27:03 +0000] "GET 
https://eawssl.idecnet.com/ HTTP/1.1" 500 0 0*0.000+0.000:P:0?
05/20 17:27:04.76 [277] 3+1: StickyServer done 
[nonStickyProtocol(http:https:https)] 1 req / 1 conn / 1 sec




















In the Apache Log:
[Thu May 20 17:14:43 2004] [error] mod_ssl: Re-negotiation handshake 
failed: Not accepted by client!?
[Thu May 20 17:14:43 2004] [error] mod_ssl: SSL error on writing data 
(OpenSSL library error follows)
[Thu May 20 17:14:43 2004] [error] OpenSSL: error:140890C7:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate 
[Hint: No CAs known to server for verification?]


In the server apache I created client.p12 and convert this to .pem and 
split in cert=client.pem key=clientkey.pem. Then I copy client.pem and 
clientkey.pem to machine with delegate.

I have installed Certified "client.p12" in Mozilla and IE and this 
connection is OK, but I want to make this with delegate and this  is not OK.

Can you help me?

Best Regards




-- 
 Alfredo Pulido   piifabdyi-jmfhzl2yqqdw.ml@delegate.org
 Dept. Sistemas, IdecNet S.A.
 Juan XXIII 44 // E-35004 Las Palmas de Gran Canaria, 
 Las Palmas // SPAIN 
 Tel: +30 000 000 00F   Fax: +30 000 000 00F
 http://www.idecnet.com/
---
Errar es un privilegio de los valientes.