On Fri, Feb 21, 2014 at 10:48 AM, Pavel Matěja <pa...@netsafe.cz> wrote: > Dne Pá 21. února 2014 10:08:42, Yann Ylavic napsal(a): >> On Fri, Feb 21, 2014 at 12:52 AM, Yann Ylavic <ylavic....@gmail.com> wrote: >> > Maybe what you need is a new ProxyPreserveHost on/off/canon option so >> > that mod_proxy uses the ServerName to fill in the Host header (hence >> > the SNI and the "proxy-request-hostname" note checked later by mod_ssl >> > against the CN). >> > >> > I may be misguided but I see some relation between UseCanonicalName >> > and the SNI/CN checks. >> > How about using ap_get_server_name_for_url() wherever r->hostname is >> > used by mod_ssl and mod_proxy to check/provide SNI/CN? >> > By doing this we would allow administrators to configure what is to be >> > used, following UseCanonicalName rules, without opening Pandora's >> > door. >> > >> > Thoughts? >> >> Similarly, a new "SSLProxyCheckPeerCN canon" option could be handled >> so that admins needing "ProxyPreserveHost on" could still forward the >> client's Host but check the backend's CN against ServerName. > > SSLProxyCheckPeerCN has been superseded by SSLProxyCheckPeerName. > Should we add "canon" to both then?
Yes, if it were to be consensual, both directives should be concerned. > -- > Pavel Matěja >
