httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, Vodafone Group <ruediger.pl...@vodafone.com>
Subject AW: Odd SSLProxyCheckPeerCN behaviour
Date Wed, 17 Feb 2016 19:39:54 GMT


> -----Ursprüngliche Nachricht-----
> Von: Dirk-Willem van Gulik [mailto:dirkx@webweaving.org]
> Gesendet: Mittwoch, 17. Februar 2016 12:34
> An: dev@httpd.apache.org
> Betreff: Odd SSLProxyCheckPeerCN behaviour
> 
> Was looking into a report that something could get a lift on websocket
> with a specific AltSubject trickery; but got into jak shaving - where I
> cannot work out why SSLProxyCheckPeerCN et.al. get ignored. The most
> trivial config I could find to reproduce is:
> 
> 	Listen  123.123.123.123:4321
> 
> 	<VirtualHost  123.123.123.123:4321>
>         	ServerName test-websock-bypass.webweaving.org
> 	        LogLevel Debug
> 
> 	        SSLProxyEngine On
> 
>         	SSLProxyCheckPeerCN off	# Not using SSLProxyCheckPeerName
> off
> 	        SSLProxyCheckPeerExpire off
> 	        SSLProxyVerify off
> 
> 
>         	SSLProxyCACertificateFile …./proxy.pem
> 
> 	        ProxyPass / https://127.0.0.1:1234/
>         	ProxyPassReverse / https://127.0.0.1:1234/
> 	</VirtualHost>
> 
> This getting tested with
> 
> 	beeb:~ dirkx$ curl -vvvv https://123.123.123.123:4321/
> 
> giving us a
> 
> 	500 Proxy Error
> 
> 	The proxy server could not handle the request <em><a
> href="/">GET&nbsp;/</a></em>.<p>
> 	Reason: <strong>Error during SSL Handshake with remote
> server</strong></p><p />
> 
> However the log gives me:
> 
> [Wed Feb 17 12:18:53.167903 2016] [ssl:debug] [pid 48233]
> ssl_engine_kernel.c(1560): [remote 192.168.0.5:6045] AH02275:
> Certificate Verification, depth 0, CRL checking mode: none [subject:
> emailAddress=root@host.unknown,CN=host.unknown,OU=root / issuer:
> emailAddress=root@host.unknown,CN=host.unknown,OU=root / serial: 2481 /
> notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb  7 10:51:12 2026
> GMT]
> [Wed Feb 17 12:18:53.169458 2016] [ssl:debug] [pid 48233]
> ssl_engine_kernel.c(2018): [remote 192.168.0.5:6045] AH02041: Protocol:
> TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
> [Wed Feb 17 12:18:53.169508 2016] [ssl:debug] [pid 48233]
> ssl_util_ssl.c(443): AH02412: [weser.webweaving.org:443] Cert does not
> match for name '192.168.0.5' [subject:
> emailAddress=root@host.unknown,CN=host.unknown,OU=root / issuer:
> emailAddress=root@host.unknown,CN=host.unknown,OU=root / serial: 2481 /
> notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb  7 10:51:12 2026
> GMT]
> [Wed Feb 17 12:18:53.169524 2016] [ssl:info] [pid 48233] [remote
> 192.168.0.5:6045] AH02411: SSL Proxy: Peer certificate does not match
> for hostname 192.168.0.5
> [Wed Feb 17 12:18:53.169541 2016] [ssl:info] [pid 48233] [remote
> 192.168.0.5:6045] AH01998: Connection closed to child 0 with abortive
> shutdown (server weser.webweavin
> 
> Now AFAIKS - AH02412 is fair game - that is in modssl_X509_match_name()
> and the name does indeed not match.
> 
> But I fail to understand the error on AH02411 — it is in ssl_engine_io.c
> 
>       if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
>             hostname_note) {
>             apr_table_unset(c->notes, "proxy-request-hostname");
>             if (!cert
>                 || modssl_X509_match_name(c->pool, cert, hostname_note,
>                                           TRUE, server) == FALSE) {
>                 proxy_ssl_check_peer_ok = FALSE;
>                 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
> APLOGNO(02411)
>                               "SSL Proxy: Peer certificate does not
> match "
>                               "for hostname %s", hostname_note);
>             }
>         }
>     	else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
>             hostname_note) {
>             const char *hostname;
>             int match = 0;
> 
> So I am now wondering about this logic in case of no alternative
> subject. And if superseding it was good enough - or if it should be

I guess I am missing your point. modssl_X509_match_name checks alternative subject and CN.
So what is actually wrong here?

Regards

Rüdiger
Mime
View raw message