You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2012/04/04 15:55:53 UTC

DO NOT REPLY [Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off'

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

Kaspar Brand <as...@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|PC                          |All
         OS/Version|Linux                       |All

--- Comment #1 from Kaspar Brand <as...@velox.ch> 2012-04-04 13:55:53 UTC ---
That's right, mod_ssl currently doesn't have support for wildcard matching in
proxy SSL connections (ssl_engine_io.c:ssl_io_filter_handshake() does a
strcasecmp of the hostname only).

SSLProxyCheckPeerCN defaults to "off" in 2.2, while in 2.4 it is "on" (if you
haven't encountered the issue with previous httpd releases, then this is why -
or you might have used a release before 2.2.12, when it was added for 2.2).

We could implement this with code similar to the one added to
ssl_engine_init.c:ssl_check_public_cert() with r1176752 (where it has a purely
diagnostic purpose, though).

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org