https://bz.apache.org/bugzilla/show_bug.cgi?id=63925
--- Comment #6 from Idar Lund <idarl...@gmail.com> ---
(In reply to Yann Ylavic from comment #5)
> So I suppose your backend has a configuration like this:
>
> <VirtualHost *:8443>
> ServerName server1
> SSLCertificateFile /path/to/server2.pem
> ...
> </VirtualHost>
>
> and thus its certificate's CN ("server2") does not match its ServerName
> ("server1")?
Something similar, yes.
> My point is that if you want the proxy to validate the backend's CN,
> ServerName and SSLCertificateFile need to be consistent on the backend
> (usually with ProxyPreserveHost the same certificate is used on the proxy
> and the backend).
> Otherwise, the proxy cannot accept that the returned certificate does not
> match the Host header _it_ requested.
We do share the same point - mod_ssl needs to know what name it should check
against and today this is done with the "Host:" header variable. But I disagree
that I should have the same certificate on both servers. Then I'd use the
"ProxyVia On" directive instead and filter on "Via:" on server2.
The best way to fix this is to make it configurable. So that mod_ssl either can
take a CN variable name to check against, or a directive to tell mod_ssl to use
whatever is in ProxyPass/ProxyPassReverse.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
