https://issues.apache.org/bugzilla/show_bug.cgi?id=54030
--- Comment #3 from Kaspar Brand <[email protected]> --- See also bug 53006. Some preliminary comments about the patch: we really want to avoid duplicating code from ssl_check_public_cert() - there should be a single check_ID(...) function instead (i.e. the code should be factored out to ssl_util_ssl.c, ideally). In the following two log messages, there's a misconception about what a "DN" really is in the context of an X.509 certificate: + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO() + "SSL Proxy: Failure to extract DNs from" + " peer certificate." + " Requested hostname: %s", ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02005) "SSL Proxy: Peer certificate CN mismatch:" - " Certificate CN: %s Requested hostname: %s", - hostname, hostname_note); + " Requested hostname: %s." + " Last DN checked: %s.", + hostname_note, id[i-1]); DN is short for "distinguished name" (not "domain name"), and a certificate only has a single subject DN and a single issuer DN (for host name checks, the former is relevant). Right now the name of the directive is "SSLProxyCheckPeerCN", so the code is currently doing what the documentation states ("Whether to check the remote server certificates CN field"). I agree that checking against subjectAltName entries is highly desirable (in the spirit of RFC 6125), but we might want to introduce a separate directive for this purpose (and deprecate SSLProxyCheckPeerCN). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
