You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2022/11/02 12:21:46 UTC
[Bug 66336] New: Wrong SNI name in proxy connections
https://bz.apache.org/bugzilla/show_bug.cgi?id=66336
Bug ID: 66336
Summary: Wrong SNI name in proxy connections
Product: Apache httpd-2
Version: 2.4.54
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_proxy_http
Assignee: bugs@httpd.apache.org
Reporter: brnrd@freebsd.org
Target Milestone: ---
Reverse Proxy connections use the ServerName value in the server_name Client
Hello SSL handshake.
Tried both mod_proxy_http and mod_proxy_http2 connections with SSLProxyEngine
enabled to a remote with valid certificate.
When using SSLProxyCheckPeername Off, the chain validation is OK.
Steps to Reproduce:
> Define vhost external.example.com
> Define NextHopHost https://internal.example.net
>
> <VirtualHost *:443>
> ServerName https://${vhost}
> SSLCertificateFile /etc/ssl/certs/${vhost}.pem
> SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem
>
> LogLevel warn ssl_module:info
>
> SSLEngine On
> Protocols h2 http/1.1
>
> SSLProxyEngine On
> SSLProxyCheckPeerCN on
>
> RequestHeader set ClientProtocol https
> Header Unset Strict-Transport-Security
> Header Always set Strict-Transport-Security "max-age=63072000"
>
> ProxyPass / ${NextHopUrl}/
> ProxyPassReverse / ${NextHopUrl}/
> </VirtualHost>
The alternative with HTTP/2 fails similarly
> Define NextHopHost h2://internal.example.net
Expected result:
Connection from the Apache server to `internal.example.net` with SNI (SSL
Client Hello server_name extension) `internal.example.net`.
Actual Result:
Connection from the Apache server to `internal.example.net` with SNI
`external.example.com` (in network capture). Chain validation fails and Apache
returns a 502 error
> *Proxy Error*
>
> The proxy server could not handle the request
> Reason: *Error during SSL Handshake with remote server*
Note: For HTTP/2 it returns a *503 Service Unavailable*
From ErrorLog:
> [Wed Nov 02 11:27:01.777115 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01964: Connection to child 0 established (server external.example.com:443)
> [Wed Nov 02 11:27:01.796268 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH02411: SSL Proxy: Peer certificate does not match for hostname external.example.com
> [Wed Nov 02 11:27:01.796502 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01998: Connection closed to child 0 with abortive shutdown (server external.example.com:443)
> [Wed Nov 02 11:27:01.796699 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01997: SSL handshake failed: sending 502
> [Wed Nov 02 11:27:01.796818 2022] [proxy:error] [pid 21222:tid 140410820142784] (20014)Internal error (specific information not available): [client 233.252.0.3:13994] AH01084: pass request body failed to 192.168.0.2:443 (internal.example.net), referer: https://www.example.com/
> [Wed Nov 02 11:27:01.796927 2022] [proxy:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH00898: Error during SSL Handshake with remote server returned by /acme.sh/index.html, referer: https://www.example.com/
> [Wed Nov 02 11:27:01.797042 2022] [proxy_http:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH01097: pass request body failed to 192.168.0.2:443 (internal.example.net) from 233.252.0.3 (), referer: https://www.example.com/
Note: Using HTTP/2 there's no proxy_http2 errors, only the ssl:info appears.
Problem exists on:
Ubuntu 22.04.1 / Apache 2.5.52 / OpenSSL 3.0.2 (Ubuntu repo) / Azure VM
Ubuntu 22.10 / Apache 2.5.54 / OpenSSL 3.0.2 (Ubuntu repo)/ Azure VM
Unable to reproduce on:
Ubuntu 22.10 / Apache 2.5.54 from Ubuntu repo / WSL
Fedora 37 / Apache 2.5.54 / VMWare
FreeBSD 13.1 / Apache 2.5.56 / LibreSSL 3.5 / amd64 clang
FreeBSD 13.1 / Apache 2.5.56 / OpenSSL 3.0.7 / amd64 clang
Additional info:
The server where the issue appears hosts ~200 VirtualHosts spread over 16 SAN
Certificates.
The SubjectAltNames for the ServerName is symlinked to the actual key/cert.
Configuration is templated and uses `Define`s and `IfDefine` blocks to
configure the VirtualHosts. Every external site has its own configuration file
in sites-available (Debian layout).
> Define vhost external.example.com
> Define NextHopUrl https://internal.example.net
>
> Include templates/ProxyAll.conf
> # ProxyAll.conf
> <VirtualHost *:443>
> ServerName ${vhost}
> SSLCertificateFile /etc/ssl/certs/${vhost}.pem
> SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem
> SSLProxyEngine On
> <IfDefine AkamaiProtected>
> Include templates/SiteShield.conf
> </IfDefine>
> <IfDefine IgnoreCertErr>
> SSLProxyCheckPeerCN off
> SSLProxyCheckPeerName off
> SSLProxyCheckPeerExpire off
> </IfDefine>
> ProxyPass / ${NextHopUrl}/
> ... etc ...
> </VirtualHost>
Switching ProxyPreserveHost makes no difference.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org