httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zisis Lianas <Zisis.Lia...@consol.de>
Subject SSLProxyCheckPeerCN / ProxyPreserveHost issue
Date Tue, 04 Sep 2012 14:09:32 GMT
I noticed some different behaviour of SSLProxyCheckPeerCN in combination
with activated ProxyPreserveHost since httpd-2.4.3.
httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).

When setting SSLProxyCheckPeerCN and ProxyPreserveHost to "on" in httpd-2.4.3,
i get an "AH02005: SSL Proxy: Peer certificate CN mismatch" error.

Platform: Linux SLES11 / x64



Configuration excerpt:
###############
SSLEngine on
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyCheckPeerCN On

<Proxy balancer://appcluster>
    BalancerMember https://backend01.server.foo:24090 route=0   #SSL CN=backend01.server.foo
    BalancerMember https://backend02.server.foo:24090 route=1   #SSL CN=backend02.server.foo
    ProxySet lbmethod=bybusyness nofailover=off stickysession=JSESSIONID|jsessionid
</Proxy>

ProxyPass /clusterjsp balancer://appcluster/clusterjsp
ProxyPassReverse / balancer://appcluster/
###############


https://mydispatcher-name.foo/ is the URL i call in my browser.
(SSL CN=mydispatcher-name.foo)



Test results:

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
[Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440] [remote x.x.x.x:24090]
AH02005: SSL Proxy: Peer certificate CN mismatch: Certificate CN: backend01.server.foo Requested
hostname: mydispatcher-name.foo
==> NOT WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost Off
SSLProxyCheckPeerCN On
==> WORKING



Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING



Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING



Reading the documentation for me it looks like 2.4.3 is working
correctly, and all older versions not. Opinions?


regards,
zisis


Mime
View raw message