Re: SSLProxyCheckPeerCN / ProxyPreserveHost issue

Tue, 04 Sep 2012 09:02:39 -0700 

On 04.09.2012 16:09, Zisis Lianas wrote:

I noticed some different behaviour of SSLProxyCheckPeerCN in combination
with activated ProxyPreserveHost since httpd-2.4.3.
httpd-2.4.2 and httpd-2.2.22 seem to work 'correctly' (or vice versa).

When setting SSLProxyCheckPeerCN and ProxyPreserveHost to "on" in httpd-2.4.3,
i get an "AH02005: SSL Proxy: Peer certificate CN mismatch" error.

Platform: Linux SLES11 / x64



Configuration excerpt:
###############
SSLEngine on
SSLProxyEngine On
ProxyPreserveHost On
SSLProxyCheckPeerCN On

<Proxy balancer://appcluster>
     BalancerMember https://backend01.server.foo:24090 route=0   #SSL 
CN=backend01.server.foo
     BalancerMember https://backend02.server.foo:24090 route=1   #SSL 
CN=backend02.server.foo
     ProxySet lbmethod=bybusyness nofailover=off 
stickysession=JSESSIONID|jsessionid
</Proxy>

ProxyPass /clusterjsp balancer://appcluster/clusterjsp
ProxyPassReverse / balancer://appcluster/
###############


https://mydispatcher-name.foo/ is the URL i call in my browser.
(SSL CN=mydispatcher-name.foo)



Test results:

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
[Tue Sep 04 15:21:36.033808 2012] [ssl:info] [pid 17466:tid 140319655495440] 
[remote x.x.x.x:24090] AH02005: SSL Proxy: Peer certificate CN mismatch: 
Certificate CN: backend01.server.foo Requested hostname: mydispatcher-name.foo
==> NOT WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.4.3 (OpenSSL 1.0.1c):
ProxyPreserveHost Off
SSLProxyCheckPeerCN On
==> WORKING



Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.4.2 (OpenSSL 1.0.1b):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING



Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN Off
==> WORKING

Apache 2.2.22 (OpenSSL 1.0.1a):
ProxyPreserveHost On
SSLProxyCheckPeerCN On
==> WORKING



Reading the documentation for me it looks like 2.4.3 is working
correctly, and all older versions not. Opinions?


Yes, and I'd say it is a result of

http://svn.apache.org/viewcvs.cgi?rev=1356881&view=rev

https://issues.apache.org/bugzilla/show_bug.cgi?id=53134

*) mod_proxy: Use the the same hostname for SNI as for the HTTP request
   when forwarding to SSL backends. PR 53134.
   [Michael Weiser <michael weiser.dinsnail.net>, Ruediger Pluem]

Regards,

Rainer

Reply via email to