https://bz.apache.org/bugzilla/show_bug.cgi?id=63925
--- Comment #6 from Idar Lund <idarl...@gmail.com> --- (In reply to Yann Ylavic from comment #5) > So I suppose your backend has a configuration like this: > > <VirtualHost *:8443> > ServerName server1 > SSLCertificateFile /path/to/server2.pem > ... > </VirtualHost> > > and thus its certificate's CN ("server2") does not match its ServerName > ("server1")? Something similar, yes. > My point is that if you want the proxy to validate the backend's CN, > ServerName and SSLCertificateFile need to be consistent on the backend > (usually with ProxyPreserveHost the same certificate is used on the proxy > and the backend). > Otherwise, the proxy cannot accept that the returned certificate does not > match the Host header _it_ requested. We do share the same point - mod_ssl needs to know what name it should check against and today this is done with the "Host:" header variable. But I disagree that I should have the same certificate on both servers. Then I'd use the "ProxyVia On" directive instead and filter on "Via:" on server2. The best way to fix this is to make it configurable. So that mod_ssl either can take a CN variable name to check against, or a directive to tell mod_ssl to use whatever is in ProxyPass/ProxyPassReverse. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org