httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Houser, Rick" <>
Subject mod_ssl server certificate does NOT include an ID which matches the server name
Date Tue, 08 Jul 2014 15:33:30 GMT
We have an external load balancer handling client-facing SSL sessions, and Apache httpd uses
a single x509 cert for receiving traffic from those load balancers.  As such, the Host field
in the received content does not match the CN in the certificate the load balancers see when
contacting mod_ssl.  It does match the hostname the load balancers use to talk to mod_ssl.
 Everything works correctly, just we get a lot of this warning:

mod_ssl server certificate does NOT include an ID which matches the server name

I didn't see an existing way to disable this without also dropping another chunk of potentially
useful logs.  Personally, I think info level might have been a bit more appropriate, anyhow.

My proposed solution is a new configuration flag to suppress this warning.  There would be
no behavior change in the default case.  I was thinking something like SSLSupressCNMissmatch
(yes, it's ugly) or SSLExternalProxy (in case there are other, future things that should also
work at this level).

Any suggestions on alternate directive names, different approaches, etc?  Should the log threshold
on that message stay warn, or move to info?

Ideally, I wouldn't be applying a patch to our sources for the next several years.  If such
a configuration option isn't desired by the community, I'll just comment out the warning in
our builds and be done with it.  So, that would also be helpful feedback.

Thanks in advance for any feedback,

Rick Houser
PGDS Web Administration

View raw message