On 18.02.2014 15:53, Pavel Matěja wrote: > Hi, > since we've enabled SSLProxyCheckPeerName our reverserse proxy I can see > AH00052: child pid 5711 exit signal Segmentation fault (11) > in our logs during Nessus scans. > > Backend server has several X509v3 Subject Alternative Names and Nessus sends > just IP as Host header. > > We are running: Apache/2.4.7 (Unix) OpenSSL/1.0.1f > > Mod_backtrace says:
Are you able to grab a complete stack trace? (I'm not familiar with reading mod_backtracke output, and the mod_ssl.so lines lack function names, so it's hard to tell if something went wrong when checking cert names.) Is it limited to SSLProxyCheckPeerName on, or does it also occur with SSLProxyCheckPeerCN on? If the former is true, then it seems that something in ssl_util_ssl.c:SSL_X509_match_name goes wrong (that's basically the new code path for this option). Kaspar
