httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55866] When ProxyPreserveHost is on, SSL expects the wrong CN from the backend
Date Tue, 24 Dec 2013 13:04:38 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55866

--- Comment #4 from Yann Ylavic <ylavic.dev@gmail.com> ---
The proxy is requesting front.example.com but gets a certificate from
back.example.com, how could it validate the peer's CN positively?
Isn't back.example.com the man-in-the-middle?

When ProxyPreserveHost is on, the host part of the ProxyPass's URL is used only
to resolve the IP address (which could be used there instead, with no
difference).

Contrariwise, if one uses ProxyPreserveHost because the/some backend uses the
same Host as the requested one, should the check fail because (s)he sets an IP
address (or a private hostname) in the ProxyPass?

When ProxyPreserveHost is on, either a new directive has to be added to select
the expected peer's hostname (Host vs ProxyPass, bug 54656), or the current
behaviour be applied.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message