Dne Čt 20. února 2014 15:00:05, Yann Ylavic napsal(a):
> mod_ssl won't fill in the SNI if it's an IP address, the check is not
> in mod_proxy_http but in ssl_io_filter_connect() :
> if (hostname_note &&
> sc->proxy->protocol != SSL_PROTOCOL_SSLV2 &&
> sc->proxy->protocol != SSL_PROTOCOL_SSLV3 &&
> apr_ipsubnet_create(&ip, hostname_note, NULL,
> c->pool) != APR_SUCCESS) {
> ...set SNI to SSL...
> }
>
> apr_ipsubnet_create() returns SUCCESS in the IP address case.
>
> The problem is probably elsewhere.
I'm very sorry, my bad:
AH02411: SSL Proxy: Checking peer certificate for hostname..
We didn't have SSLProxyCheckPeerName On back in non-SNI days.
I have to figure out how to pass request without hostname.
Fake hostname in backend certificate and ProxyPass might do the job.
--
Pavel Matěja
> On Thu, Feb 20, 2014 at 2:39 PM, Pavel Matěja <pa...@netsafe.cz> wrote:
> > Dne Čt 20. února 2014 08:13:13, Eric Covener napsal(a):
> >> On Thu, Feb 20, 2014 at 7:47 AM, Pavel Matěja <pa...@netsafe.cz> wrote:
> >> > Dne St 19. února 2014 21:09:10, William A. Rowe Jr. napsal(a):
> >> >> I believe that Kaspar and Ruediger are still entirely at odds with my
> >> >>
> >> >> position, but this 'enhancement' should never have been unilaterally
> >> >>
> >> >> applied as it was to 2.2.26 and must be reverted (even as the feature
> >> >>
> >> >> is 'fixed' with corrections they have blessed), e.g. the comparison
> >> >>
> >> >> must be constrained to apply only to SSLStrictSNIVHostCheck enforcing
> >> >>
> >> >> hosts under 2.2 to not break existing configurations.
> >> >>
> >> >>
> >> >>
> >> >> It similarly aught to be constrained to SSLStrictSNIVHostCheck on the
> >> >>
> >> >> 2.4 branch, but I'm just not going to participate in that debate at
> >> >>
> >> >> all, which is why I say 'aught to'. Time for a few more committers to
> >> >>
> >> >> review the relevant specs and chime in with opinions on productive vs.
> >> >>
> >> >> disruptive rules that are out-of-spec.
> >> >
> >> > Last note:
> >> >
> >> > when I go to the reverse proxy without hostname I can't get website at
> >> >
> >> > all.
> >> >
> >> > wget --no-check-certificate https://a.b.c.d will always return HTTP
> >> > Error
> >> >
> >> > 500: AH01084: pass request body failed to..
> >> >
> >> > AH00898: Error during SSL Handshake with remote server returned by /
> >> >
> >> > AH01097: pass request body failed to..
> >> >
> >> >
> >> >
> >> > Any idea how to rework configuration without the downgrade to SSLv3?
> >>
> >> Please post the full details in a bug report.
> >
> > It's qute simple.
> >
> > In pre-SNI days hostname didn't matter.
> >
> > Now you can't reach backend SSL server thru reverse proxy without correct
> > one when you have ProxyPreserveHost On.
> >
> > Apache will take IP of proxy and will try to pass it to backend server in
> > SNI.
> >
> > Which has to fail obviously.
> >
> > I guess apache reverse proxy should not fill numeric ip address into SNI
> > request at all.
> >
> > Just what Kaspar Brand mentioned above: Pure host names (FQDN!) only: RFC
> > 6066, section 3.
> >
> >
> >
> > Something like
> >
> > modules/proxy/mod_proxy_http.c:1968
> >
> > -if ((dconf->preserve_host != 0) && (r->hostname != NULL)) {
> >
> > +if ((dconf->preserve_host != 0) && (r->hostname != NULL) &&
> > (is_fqdn(r->hostname))) {
> >
> >
> >
> > I'm not sure if there is such function or how is called.
> >
> > --
> >
> > Pavel Matěja
