httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 54030] Support subjectAltName when (reverse-)proxying
Date Wed, 31 Oct 2012 07:33:09 GMT

--- Comment #3 from Kaspar Brand <> ---
See also bug 53006.

Some preliminary comments about the patch: we really want to avoid duplicating
code from ssl_check_public_cert() - there should be a single check_ID(...)
function instead (i.e. the code should be factored out to ssl_util_ssl.c,

In the following two log messages, there's a misconception about what a "DN"
really is in the context of an X.509 certificate:

+                ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO()
+                              "SSL Proxy: Failure to extract DNs from"
+                              " peer certificate."
+                              " Requested hostname: %s", 

                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005)
                               "SSL Proxy: Peer certificate CN mismatch:"
-                              " Certificate CN: %s Requested hostname: %s",
-                              hostname, hostname_note);
+                              " Requested hostname: %s."
+                              " Last DN checked: %s.",
+                              hostname_note, id[i-1]);

DN is short for "distinguished name" (not "domain name"), and a certificate
only has a single subject DN and a single issuer DN (for host name checks, the
former is relevant).

Right now the name of the directive is "SSLProxyCheckPeerCN", so the code is
currently doing what the documentation states ("Whether to check the remote
server certificates CN field"). I agree that checking against subjectAltName
entries is highly desirable (in the spirit of RFC 6125), but we might want to
introduce a separate directive for this purpose (and deprecate

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message