On 04.09.2012 16:09, Zisis Lianas wrote:
I noticed some different behaviour of SSLProxyCheckPeerCN in combination
with activated ProxyPreserveHost since httpd-2.4.3.
httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).
When setting SSLProxyCheckPeerCN and ProxyPreserveHost to "on" in httpd-2.4.3,
i get an "AH02005: SSL Proxy: Peer certificate CN mismatch" error.
Platform: Linux SLES11 / x64
Configuration excerpt:
###############
SSLEngine on
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyCheckPeerCN On
<Proxy balancer://appcluster>
BalancerMember https://backend01.server.foo:24090 route=0 #SSL
CN=backend01.server.foo
BalancerMember https://backend02.server.foo:24090 route=1 #SSL
CN=backend02.server.foo
ProxySet lbmethod=bybusyness nofailover=off
stickysession=JSESSIONID|jsessionid
</Proxy>
ProxyPass /clusterjsp balancer://appcluster/clusterjsp
ProxyPassReverse / balancer://appcluster/
###############
https://mydispatcher-name.foo/ is the URL i call in my browser.
(SSL CN=mydispatcher-name.foo)
Test results:
Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
[Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440]
[remote x.x.x.x:24090] AH02005: SSL Proxy: Peer certificate CN mismatch:
Certificate CN: backend01.server.foo Requested hostname: mydispatcher-name.foo
==> NOT WORKING
Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING
Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost Off
SSLProxyCheckPeerCN On
==> WORKING
Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING
Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING
Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING
Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING
Reading the documentation for me it looks like 2.4.3 is working
correctly, and all older versions not. Opinions?
Yes, and I'd say it is a result of
http://svn.apache.org/viewcvs.cgi?rev=1356881&view=rev
https://issues.apache.org/bugzilla/show_bug.cgi?id=53134
*) mod_proxy: Use the the same hostname for SNI as for the HTTP request
when forwarding to SSL backends. PR 53134.
[Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]
Regards,
Rainer