httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off'
Date Wed, 04 Apr 2012 13:55:53 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

Kaspar Brand <asfbugz@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|PC                          |All
         OS/Version|Linux                       |All

--- Comment #1 from Kaspar Brand <asfbugz@velox.ch> 2012-04-04 13:55:53 UTC ---
That's right, mod_ssl currently doesn't have support for wildcard matching in
proxy SSL connections (ssl_engine_io.c:ssl_io_filter_handshake() does a
strcasecmp of the hostname only).

SSLProxyCheckPeerCN defaults to "off" in 2.2, while in 2.4 it is "on" (if you
haven't encountered the issue with previous httpd releases, then this is why -
or you might have used a release before 2.2.12, when it was added for 2.2).

We could implement this with code similar to the one added to
ssl_engine_init.c:ssl_check_public_cert() with r1176752 (where it has a purely
diagnostic purpose, though).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message