Mailing List Archive: Apache: Bugs

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off'

Index | Next | Previous | View Threaded

bugzilla at apache

Apr 4, 2012, 6:55 AM

Post #1 of 5 (152 views)
Permalink

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off'

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

Kaspar Brand <asfbugz [at] velox> changed:

What |Removed |Added
----------------------------------------------------------------------------
Platform|PC |All
OS/Version|Linux |All

--- Comment #1 from Kaspar Brand <asfbugz [at] velox> 2012-04-04 13:55:53 UTC ---
That's right, mod_ssl currently doesn't have support for wildcard matching in
proxy SSL connections (ssl_engine_io.c:ssl_io_filter_handshake() does a
strcasecmp of the hostname only).

SSLProxyCheckPeerCN defaults to "off" in 2.2, while in 2.4 it is "on" (if you
haven't encountered the issue with previous httpd releases, then this is why -
or you might have used a release before 2.2.12, when it was added for 2.2).

We could implement this with code similar to the one added to
ssl_engine_init.c:ssl_check_public_cert() with r1176752 (where it has a purely
diagnostic purpose, though).

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Apr 4, 2012, 7:07 AM

Post #2 of 5 (141 views)
Permalink

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off' [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

--- Comment #2 from Petter Berntsen <petterb [at] gmail> 2012-04-04 14:07:26 UTC ---
I see.

It seems reasonable that it should be mentioned in the upgrade doc as this
makes these vhosts stop working after upgrade.

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Apr 4, 2012, 7:09 AM

Post #3 of 5 (141 views)
Permalink

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off' [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

--- Comment #3 from Kaspar Brand <asfbugz [at] velox> 2012-04-04 14:09:51 UTC ---
(In reply to comment #2)
> It seems reasonable that it should be mentioned in the upgrade doc as this
> makes these vhosts stop working after upgrade.

It is already - see second bullet at

http://httpd.apache.org/docs/2.4/upgrading.html#misc

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Apr 4, 2012, 7:19 AM

Post #4 of 5 (143 views)
Permalink

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off' [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

--- Comment #4 from Petter Berntsen <petterb [at] gmail> 2012-04-04 14:19:52 UTC ---
I know about that one (i actually triggered Humbedooh to add the last part ;)

But i don't think it's clear that a server with a valid wildcard certificate
will stop working.

That would entail one knows SSLProxyCheckPeerCN does not acknowledge wildcard
certificates.

Relevant part of bullet point for reference:
SSLProxyCheckPeerCN and SSLProxyCheckPeerExpire now default to On, causing
proxy requests to HTTPS hosts with bad or outdated certificates to fail with a
502 status code (Bad gateway)

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

bugzilla at apache

Apr 4, 2012, 7:32 AM

Post #5 of 5 (141 views)
Permalink

[Bug 53006] SSLProxy to server with wildcard certificate requires 'SSLProxyCheckPeerCN off' [In reply to]

https://issues.apache.org/bugzilla/show_bug.cgi?id=53006

--- Comment #5 from Kaspar Brand <asfbugz [at] velox> 2012-04-04 14:32:33 UTC ---
Ah, sorry for misinterpreting your previous comment. I think it would make
sense to mention this limitation in both the upgrade docs and in the reference
section about SSLProxyCheckPeerCN
(http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn).

--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe [at] httpd
For additional commands, e-mail: bugs-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads