Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BFA77FF3B for ; Thu, 11 Apr 2013 04:44:26 +0000 (UTC) Received: (qmail 45573 invoked by uid 500); 11 Apr 2013 04:44:26 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 45199 invoked by uid 500); 11 Apr 2013 04:44:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 45157 invoked by uid 99); 11 Apr 2013 04:44:19 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Apr 2013 04:44:19 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [62.75.148.60] (HELO appendix.velox.ch) (62.75.148.60) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Apr 2013 04:44:14 +0000 Received: from cortex.velox.ch (77-57-164-164.dclient.hispeed.ch [77.57.164.164]) (authenticated bits=0) by appendix.velox.ch (8.14.4/8.14.4/2.2) with ESMTP id r3B4hoaB020397 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 11 Apr 2013 06:43:52 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=appendix-177f; t=1365655432; bh=eEZT4ICWBc82AKgvTMcfBgyjXahdDQa+iskN+AdMETo=; h=Date:From:To:Subject:References:In-Reply-To; b=WyNWcbh8V+hcZu+3hcUfLi+vtDf3GAcGQ62T6AsUJfRgRX15SVmEJ1mKTeVLEyoFD Il4SKzkemGkZfhZUkN572X2VNu/slza6gn5EESHVHa/eMZsHMNdRJ8FDQHiE0XeLgv sig8AapSGHOezkmi+eTxf63u6YWgRexnVGAsm6hKMi8flCbzAuBkNPxXwni0eRPDJz lBwJCIv2O7/86Sq7eXtJLccjRCRuEcIpcOKF7cs0ixY/C+oKHWj8fJ7xnJkuYoW6YI I42nIHiLIkviSanPJH2wIGkK5nG+0sG99DO7NM/uKO0s1TsOfGcqPvKvstKcMfWbwM zaDCqO4QM47hg== X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on cortex.velox.ch X-Spam-Level: Received: from [178.83.85.211] (178-83-85-211.dynamic.hispeed.ch [178.83.85.211]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by cortex.velox.ch (Postfix) with ESMTPSA id 42C26A9B1B for ; Thu, 11 Apr 2013 06:43:49 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=velox.ch; s=cortex-8a58; t=1365655429; bh=eEZT4ICWBc82AKgvTMcfBgyjXahdDQa+iskN+AdMETo=; h=Date:From:To:Subject:References:In-Reply-To; b=lTO88u0dtStQhR+5YIO6XR4zzWMRB5zJ6wo5JQZ0PsQ6lViXFRCDJFbVh6oGO2YIK C3q8hmwOpokX9CWM6RjyppB8TmZ/MoMMN6h2pvZo5q+B8Nw6tdndlzNc+fp1aeKh57 eXt2xHmJi5pQYyGLdnWO4lUxOrWxmOa4ByaeeicaA7oeOCo8+qvdEn/omOUJbkJSKf wcmDki1WtjUP4zWycTbQvIQHwtc9x5ufW/QNi+zLiIheIkB6wfC+skcuL7xLAgPWaN Gvw5aEzj5QSEpRTiLEnw9Iy6hdHqNEAD9x2iVU/6iMENG2HK6IWBVHRACvGM+6temS Dstq/lrP5WkCQ== Message-ID: <51663F86.2010302@velox.ch> Date: Thu, 11 Apr 2013 06:43:50 +0200 From: Kaspar Brand MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: use connection hostname for SNI and SSLProxyCheckPeerCN instead of the Host: header References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-1.9 required=8.0 tests=ALL_TRUSTED=-1,AWL=0.629, BAYES_00=-1.5,T_DKIM_INVALID=0.01 autolearn=no version=3.3.2 On 10.04.2013 02:49, Lam, Eugene wrote: > Was "Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue" > > So, what do folks think about adding this directive to use the > connection hostname for SNI and the SSLProxyCheckPeerCN feature? > Would such a directive be beneficial? It seems a number of users who > use ProxyPreserveHost will benefit from this. It lets users revert > to the behavior before the SNI change. It's not really "the SNI change" which is the issue, it's the question of whether you want to ignore cert name mismatches. From your PR: > ssl_engine_io.c will pull out this note and use it for SNI and > SSLProxyCheckPeerCN. Unfortunately, www.example.com does not match > backend.example.com. I wouldn't call this unfortunate, I would say that it's a misunderstanding of what SSL proxying with mod_proxy_http is expected to provide. > The reverse proxy shouldn't expect CN=www.example.com, > CN=www.example.org, etc. when the backend only has > CN=backend.example.com. Looks like you're trying to use a "generic" SSL tunnel for any HTTP request, irrespective of the host name in its URL. This is prone to MitM attacks, and hardly a good idea. See also this message: http://mail-archives.apache.org/mod_mbox/httpd-dev/201204.mbox/%3C4F8E7873.8000004%40velox.ch%3E Kaspar