httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: use connection hostname for SNI and SSLProxyCheckPeerCN instead of the Host: header
Date Thu, 11 Apr 2013 04:43:50 GMT
On 10.04.2013 02:49, Lam, Eugene wrote:
> Was "Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue"
> 
> So, what do folks think about adding this directive to use the
> connection hostname for SNI and the SSLProxyCheckPeerCN feature?
> Would such a directive be beneficial?  It seems a number of users who
> use ProxyPreserveHost will benefit from this.  It lets users revert
> to the behavior before the SNI change.

It's not really "the SNI change" which is the issue, it's the question
of whether you want to ignore cert name mismatches. From your PR:

> ssl_engine_io.c will pull out this note and use it for SNI and
> SSLProxyCheckPeerCN.  Unfortunately, www.example.com does not match
> backend.example.com.

I wouldn't call this unfortunate, I would say that it's a
misunderstanding of what SSL proxying with mod_proxy_http is expected to
provide.

> The reverse proxy shouldn't expect CN=www.example.com,
> CN=www.example.org, etc. when the backend only has
> CN=backend.example.com.

Looks like you're trying to use a "generic" SSL tunnel for any HTTP
request, irrespective of the host name in its URL. This is prone to MitM
attacks, and hardly a good idea. See also this message:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201204.mbox/%3C4F8E7873.8000004%40velox.ch%3E

Kaspar

Mime
View raw message