Hi Pravesh, this is the expected behaviour of SSLProxyCheckPeerCN. When set to "on" (default), the certificate CN of the backend server has to match the configured BalancerMember's name.
In your case, your BalancerMember seems to be "https://15.146.153.101/"; (so the name is "15.146.153.101"), which has configured an SSL certificate with "CN=y". This constellation can't work. Normally "SSLProxyCheckPeerCN off" should solve your issue - what do you mean with 'is not helping much in our case'? What is the error message when turning SSLProxyCheckPeerCN off? Perhaps you can also post the relevant part of your configuration. The links you posted are not really applicable for this configuration issue. Please also consider that this is more an users-issue than dev (-> users mailinglist). Regards, Zisis ----- Original Message ----- > From: "Pravesh R Rai (STSD)" <pravesh....@hp.com> > To: dev@httpd.apache.org > Cc: "Tariq Mahmood (Tariq Mahmood Dar (IESL))" <tariq.mahm...@hp.com>, > "Arshad Mohammed (STSD)" > <arshad.moham...@hp.com>, "William Chow" <william.c...@hp.com>, "William A. > Rowe Jr. (wr...@rowe-clan.net)" > <wr...@rowe-clan.net>, "Scott Lamons (Open Source Program Office)" > <scott.lam...@hp.com>, "Bryan Sutula (Open Source > Program Office)" <bryan.sut...@hp.com> > Sent: Tuesday, November 20, 2012 12:17:13 PM > Subject: Apache 2.4.3 issue related to SLProxyCheckPeerCN directive > > Hi All, > > While trying to use Apache 2.4.3, we are getting following error > messages (in error_log), when trying to access a link to another > application running on Tomcat web server: > > ------------------ > [ssl:info] [pid 3264] [remote 127.0.0.1:1188] AH02005: SSL Proxy: > Peer certificate CN mismatch: Certificate CN: y Requested hostname: > 15.146.153.101 > [ssl:info] [pid 3264] [remote 127.0.0.1:1188] AH01998: Connection > closed to child 0 with abortive shutdown (server localhost:2381) > [proxy_http:error] [pid 3264] (502)Unknown error 502: [client > 16.154.173.74:52712] AH01084: pass request body failed to > 127.0.0.1:1188 (localhost), referer: > https://15.146.153.101:2381/chplinkstrt.php?chppath=Tools%3A%3AServiceguard&chppage=Serviceguard%20Manager&chpurl=/sgmgr/main/main.do&chptarget=undefined > [proxy:error] [pid 3264] [client 16.154.173.74:52712] AH00898: Error > during SSL Handshake with remote server returned by > /sgmgr/main/main.do, referer: > https://15.146.153.101:2381/chplinkstrt.php?chppath=Tools%3A%3AServiceguard&chppage=Serviceguard%20Manager&chpurl=/sgmgr/main/main.do&chptarget=undefined > [proxy_http:error] [pid 3264] [client 16.154.173.74:52712] AH01097: > pass request body failed to 127.0.0.1:1188 (localhost) from > 16.154.173.74 (), referer: https://15.146.153.101:2381/chpl > ------------------ > > Also found that, the same bug is reported at some Apache & Bugzilla > sites: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=53006 > http://mail-archives.apache.org/mod_mbox/httpd-bugs/201203.mbox/%3cbug-53006-7...@https.issues.apache.org/bugzilla/%3E > http://osdir.com/ml/bugs-httpd/2012-03/msg00324.html > > but none of those points to the right direction. After going through > Apache-2.4.3 docs/forum: > > http://apache-http-server.18135.n6.nabble.com/SSLProxyCheckPeerCN-ProxyPreserveHost-issue-td4999947.html > http://httpd.apache.org/docs/2.4/upgrading.html#misc > http://httpd.apache.org/docs/trunk/mod/mod_ssl.html > > found that, it is observed only with Apache-2.4.3 & is due to one > directive "SLProxyCheckPeerCN", which is now "on" by default. But > even setting this to "off" is not helping much in our case. > > Can anybody please provide some clue about this behavior? > > Regards, > Pravesh >
