In testing TLS connections to my origin complex, I noticed that ATS does not validate the origin hostname against the server certificate CN/SAN values.I then looked at the ATS code that sets the TLS verify options, and noticed there are no options or routines that validate hostname. So I assume this confirms what I see in practice.
client_verify_server = params->clientVerify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE;
Are there plans to add an ATS config option to also validate origin hostname against the returned CN/SAN values?
Maybe something like.
proxy.config.ssl.client.verify.server INT 2
Where 2 is peer + hostname validation
I suppose such a change would be somewhat straight forward if you have just one layer of ATS servers talking to the origin. However if there are intermediate ATS layers between edge and origin, then some provisions would have to be made for edge to intermediate communications.