httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <di...@webweaving.org>
Subject Odd SSLProxyCheckPeerCN behaviour
Date Wed, 17 Feb 2016 11:33:50 GMT
Was looking into a report that something could get a lift on websocket with a specific AltSubject
trickery; but got into jak shaving - where I cannot work out why SSLProxyCheckPeerCN et.al.
get ignored. The most trivial config I could find to reproduce is:

	Listen  123.123.123.123:4321

	<VirtualHost  123.123.123.123:4321>
        	ServerName test-websock-bypass.webweaving.org		
	        LogLevel Debug

	        SSLProxyEngine On

        	SSLProxyCheckPeerCN off	# Not using SSLProxyCheckPeerName off
	        SSLProxyCheckPeerExpire off
	        SSLProxyVerify off


        	SSLProxyCACertificateFile …./proxy.pem

	        ProxyPass / https://127.0.0.1:1234/
        	ProxyPassReverse / https://127.0.0.1:1234/
	</VirtualHost>

This getting tested with

	beeb:~ dirkx$ curl -vvvv https://123.123.123.123:4321/

giving us a 

	500 Proxy Error

	The proxy server could not handle the request <em><a href="/">GET&nbsp;/</a></em>.<p>
	Reason: <strong>Error during SSL Handshake with remote server</strong></p><p
/>	

However the log gives me:

[Wed Feb 17 12:18:53.167903 2016] [ssl:debug] [pid 48233] ssl_engine_kernel.c(1560): [remote
192.168.0.5:6045] AH02275: Certificate Verification, depth 0, CRL checking mode: none [subject:
emailAddress=root@host.unknown,CN=host.unknown,OU=root / issuer: emailAddress=root@host.unknown,CN=host.unknown,OU=root
/ serial: 2481 / notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb  7 10:51:12 2026 GMT]
[Wed Feb 17 12:18:53.169458 2016] [ssl:debug] [pid 48233] ssl_engine_kernel.c(2018): [remote
192.168.0.5:6045] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128
bits)
[Wed Feb 17 12:18:53.169508 2016] [ssl:debug] [pid 48233] ssl_util_ssl.c(443): AH02412: [weser.webweaving.org:443]
Cert does not match for name '192.168.0.5' [subject: emailAddress=root@host.unknown,CN=host.unknown,OU=root
/ issuer: emailAddress=root@host.unknown,CN=host.unknown,OU=root / serial: 2481 / notbefore:
Feb 10 10:51:12 2016 GMT / notafter: Feb  7 10:51:12 2026 GMT]
[Wed Feb 17 12:18:53.169524 2016] [ssl:info] [pid 48233] [remote 192.168.0.5:6045] AH02411:
SSL Proxy: Peer certificate does not match for hostname 192.168.0.5
[Wed Feb 17 12:18:53.169541 2016] [ssl:info] [pid 48233] [remote 192.168.0.5:6045] AH01998:
Connection closed to child 0 with abortive shutdown (server weser.webweavin

Now AFAIKS - AH02412 is fair game - that is in modssl_X509_match_name() and the name does
indeed not match.

But I fail to understand the error on AH02411 — it is in ssl_engine_io.c

      if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
            hostname_note) {
            apr_table_unset(c->notes, "proxy-request-hostname");
            if (!cert
                || modssl_X509_match_name(c->pool, cert, hostname_note,
                                          TRUE, server) == FALSE) {
                proxy_ssl_check_peer_ok = FALSE;
                ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
                              "SSL Proxy: Peer certificate does not match "
                              "for hostname %s", hostname_note);
            }
        }
    	else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
            hostname_note) {
            const char *hostname;
            int match = 0;

So I am now wondering about this logic in case of no alternative subject. And if superseding
it was good enough - or if it should be totally removed. OR if this check needs to become
an either/or check if there is no subject alternative).

Dw
Mime
View raw message