httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off'
Date Wed, 04 Apr 2012 13:55:53 GMT

Kaspar Brand <> changed:

           What    |Removed                     |Added
           Platform|PC                          |All
         OS/Version|Linux                       |All

--- Comment #1 from Kaspar Brand <> 2012-04-04 13:55:53 UTC ---
That's right, mod_ssl currently doesn't have support for wildcard matching in
proxy SSL connections (ssl_engine_io.c:ssl_io_filter_handshake() does a
strcasecmp of the hostname only).

SSLProxyCheckPeerCN defaults to "off" in 2.2, while in 2.4 it is "on" (if you
haven't encountered the issue with previous httpd releases, then this is why -
or you might have used a release before 2.2.12, when it was added for 2.2).

We could implement this with code similar to the one added to
ssl_engine_init.c:ssl_check_public_cert() with r1176752 (where it has a purely
diagnostic purpose, though).

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message