https://bz.apache.org/bugzilla/show_bug.cgi?id=54656
Yann Ylavic <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #5 from Yann Ylavic <[email protected]> --- In latests 2.2 and 2.4 versions, mod_proxy will always set the SNI for the backend connections to its request's Host header (reverse, r1356881 from 2.4.3) or targeted host (forward, r1673941 from 2.4.13), and will not reuse any connection with SNI if that host differs (r1587201 from 2.4.10). I think there is no point in using SSLProxyCheckPeerCN, requesting a particular host (be it preserved or not), getting a response from another host (backend certificate's CN), and be fine with it. If this is expected, just don't set "SSLProxyCheckPeerCN on". Please note that one can use a wildcard or multi-CN-subjectAltName(s) certificate on the backend, and mod_proxy will also accept those if they match the requested host (r1485667 from 2.4.5). Thus I'm marking this report as invalid. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
