Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0BFD0184FD for ; Wed, 17 Feb 2016 18:29:46 +0000 (UTC) Received: (qmail 28214 invoked by uid 500); 17 Feb 2016 18:29:45 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 28146 invoked by uid 500); 17 Feb 2016 18:29:45 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 28136 invoked by uid 99); 17 Feb 2016 18:29:45 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 Feb 2016 18:29:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id C1BE81A0845 for ; Wed, 17 Feb 2016 18:29:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.672 X-Spam-Level: * X-Spam-Status: No, score=1.672 tagged_above=-999 required=6.31 tests=[KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, RP_MATCHES_RCVD=-0.329, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id E1UDQjWI3uej for ; Wed, 17 Feb 2016 18:29:42 +0000 (UTC) Received: from weser.webweaving.org (weser.webweaving.org [148.251.234.232]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id B23BA64C57 for ; Wed, 17 Feb 2016 11:33:58 +0000 (UTC) Received: from [10.11.0.122] (5ED29D98.cm-7-3c.dynamic.ziggo.nl [94.210.157.152]) (authenticated bits=0) by weser.webweaving.org (8.15.2/8.15.2) with ESMTPSA id u1HBXoOS048937 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 17 Feb 2016 12:33:50 +0100 (CET) (envelope-from dirkx@webweaving.org) X-Authentication-Warning: weser.webweaving.org: Host 5ED29D98.cm-7-3c.dynamic.ziggo.nl [94.210.157.152] claimed to be [10.11.0.122] From: Dirk-Willem van Gulik Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: Odd SSLProxyCheckPeerCN behaviour Message-Id: <73A89BAB-1B8C-4C5D-AD53-14DC0F0060BA@webweaving.org> Date: Wed, 17 Feb 2016 12:33:50 +0100 To: dev@httpd.apache.org Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\)) X-Mailer: Apple Mail (2.3112) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (weser.webweaving.org [148.251.234.232]); Wed, 17 Feb 2016 12:33:51 +0100 (CET) Was looking into a report that something could get a lift on websocket = with a specific AltSubject trickery; but got into jak shaving - where I = cannot work out why SSLProxyCheckPeerCN et.al. get ignored. The most = trivial config I could find to reproduce is: Listen 123.123.123.123:4321 ServerName test-websock-bypass.webweaving.org =09 LogLevel Debug SSLProxyEngine On SSLProxyCheckPeerCN off # Not using = SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLProxyVerify off SSLProxyCACertificateFile =E2=80=A6./proxy.pem ProxyPass / https://127.0.0.1:1234/ ProxyPassReverse / https://127.0.0.1:1234/ This getting tested with beeb:~ dirkx$ curl -vvvv https://123.123.123.123:4321/ giving us a=20 500 Proxy Error The proxy server could not handle the request GET /.

Reason: Error during SSL Handshake with remote = server

=09 However the log gives me: [Wed Feb 17 12:18:53.167903 2016] [ssl:debug] [pid 48233] = ssl_engine_kernel.c(1560): [remote 192.168.0.5:6045] AH02275: = Certificate Verification, depth 0, CRL checking mode: none [subject: = emailAddress=3Droot@host.unknown,CN=3Dhost.unknown,OU=3Droot / issuer: = emailAddress=3Droot@host.unknown,CN=3Dhost.unknown,OU=3Droot / serial: = 2481 / notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 = 2026 GMT] [Wed Feb 17 12:18:53.169458 2016] [ssl:debug] [pid 48233] = ssl_engine_kernel.c(2018): [remote 192.168.0.5:6045] AH02041: Protocol: = TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) [Wed Feb 17 12:18:53.169508 2016] [ssl:debug] [pid 48233] = ssl_util_ssl.c(443): AH02412: [weser.webweaving.org:443] Cert does not = match for name '192.168.0.5' [subject: = emailAddress=3Droot@host.unknown,CN=3Dhost.unknown,OU=3Droot / issuer: = emailAddress=3Droot@host.unknown,CN=3Dhost.unknown,OU=3Droot / serial: = 2481 / notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 = 2026 GMT] [Wed Feb 17 12:18:53.169524 2016] [ssl:info] [pid 48233] [remote = 192.168.0.5:6045] AH02411: SSL Proxy: Peer certificate does not match = for hostname 192.168.0.5 [Wed Feb 17 12:18:53.169541 2016] [ssl:info] [pid 48233] [remote = 192.168.0.5:6045] AH01998: Connection closed to child 0 with abortive = shutdown (server weser.webweavin Now AFAIKS - AH02412 is fair game - that is in modssl_X509_match_name() = and the name does indeed not match. But I fail to understand the error on AH02411 =E2=80=94 it is in = ssl_engine_io.c if ((sc->proxy_ssl_check_peer_name !=3D SSL_ENABLED_FALSE) && hostname_note) { apr_table_unset(c->notes, "proxy-request-hostname"); if (!cert || modssl_X509_match_name(c->pool, cert, hostname_note, TRUE, server) =3D=3D FALSE) { proxy_ssl_check_peer_ok =3D FALSE; ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, = APLOGNO(02411) "SSL Proxy: Peer certificate does not = match " "for hostname %s", hostname_note); } } else if ((sc->proxy_ssl_check_peer_cn !=3D SSL_ENABLED_FALSE) && hostname_note) { const char *hostname; int match =3D 0; So I am now wondering about this logic in case of no alternative = subject. And if superseding it was good enough - or if it should be = totally removed. OR if this check needs to become an either/or check if = there is no subject alternative). Dw=