https://bz.apache.org/bugzilla/show_bug.cgi?id=63925
--- Comment #2 from Idar Lund <[email protected]> --- (In reply to Yann Ylavic from comment #1) > mod_ssl is indeed using the "Host:" which is sent to the backend server to > validate that the certificate given by that backend corresponds. This is the > right think to do. > > I'd suggest to leave ProxyPreserveHost alone (i.e. default "off"), so that > the "Host:" header is taken from the ProxyPass, or set > "SSLProxyCheckPeerName off" if you don't want to verify the backend's CN (it > can't match in your case). I totally agree that this should be default behaviour, but in this case the backend server is serving several sites and needs a way to determine what site (or vhost for that matter) to serve the query. The standardized way to do that is to use the "Host:" HTTP header field. If I turn "ProxyPreserveHost" off, then the backend server has no idea on what site it's supposed to serve. This is why I also mentioned the workaround with the "Via:" HTTP header setting. Also; disabling the CN checking is not an option as this opens up for man in the middle attacks. This is also why I'm suggesting that it should be configurable what mod_ssl is using to check the name. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
