httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue
Date Tue, 04 Sep 2012 16:02:08 GMT
On 04.09.2012 16:09, Zisis Lianas wrote:
> I noticed some different behaviour of SSLProxyCheckPeerCN in combination
> with activated ProxyPreserveHost since httpd-2.4.3.
> httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).
>
> When setting SSLProxyCheckPeerCN and ProxyPreserveHost to "on" in httpd-2.4.3,
> i get an "AH02005: SSL Proxy: Peer certificate CN mismatch" error.
>
> Platform: Linux SLES11 / x64
>
>
>
> Configuration excerpt:
> ###############
> SSLEngine on
> SSLProxyEngine On
> ProxyPreserveHost On
> SSLProxyCheckPeerCN On
>
> <Proxy balancer://appcluster>
>      BalancerMember https://backend01.server.foo:24090 route=0   #SSL CN=backend01.server.foo
>      BalancerMember https://backend02.server.foo:24090 route=1   #SSL CN=backend02.server.foo
>      ProxySet lbmethod=bybusyness nofailover=off stickysession=JSESSIONID|jsessionid
> </Proxy>
>
> ProxyPass /clusterjsp balancer://appcluster/clusterjsp
> ProxyPassReverse / balancer://appcluster/
> ###############
>
>
> https://mydispatcher-name.foo/ is the URL i call in my browser.
> (SSL CN=mydispatcher-name.foo)
>
>
>
> Test results:
>
> Apache 2.4.3 (OpenSSL 1.0.1c):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN On
> [Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440] [remote
x.x.x.x:24090] AH02005: SSL Proxy: Peer certificate CN mismatch: Certificate CN: backend01.server.foo
Requested hostname: mydispatcher-name.foo
> ==> NOT WORKING
>
> Apache 2.4.3 (OpenSSL 1.0.1c):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN Off
> ==> WORKING
>
> Apache 2.4.3 (OpenSSL 1.0.1c):
> ProxyPreserveHost Off
> SSLProxyCheckPeerCN On
> ==> WORKING
>
>
>
> Apache 2.4.2 (OpenSSL 1.0.1b):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN Off
> ==> WORKING
>
> Apache 2.4.2 (OpenSSL 1.0.1b):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN On
> ==> WORKING
>
>
>
> Apache 2.2.22 (OpenSSL 1.0.1a):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN Off
> ==> WORKING
>
> Apache 2.2.22 (OpenSSL 1.0.1a):
> ProxyPreserveHost On
> SSLProxyCheckPeerCN On
> ==> WORKING
>
>
>
> Reading the documentation for me it looks like 2.4.3 is working
> correctly, and all older versions not. Opinions?

Yes, and I'd say it is a result of

http://svn.apache.org/viewcvs.cgi?rev=1356881&view=rev

https://issues.apache.org/bugzilla/show_bug.cgi?id=53134

*) mod_proxy: Use the the same hostname for SNI as for the HTTP request
    when forwarding to SSL backends. PR 53134.
    [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

Regards,

Rainer

Mime
View raw message