We have an external load balancer handling client-facing SSL sessions, and Apache httpd uses a single x509 cert for receiving traffic from those load balancers. As such, the Host field in the received content does not match the CN in the certificate the load balancers see when contacting mod_ssl. It does match the hostname the load balancers use to talk to mod_ssl. Everything works correctly, just we get a lot of this warning:
mod_ssl server certificate does NOT include an ID which matches the server name I didn't see an existing way to disable this without also dropping another chunk of potentially useful logs. Personally, I think info level might have been a bit more appropriate, anyhow. My proposed solution is a new configuration flag to suppress this warning. There would be no behavior change in the default case. I was thinking something like SSLSupressCNMissmatch (yes, it's ugly) or SSLExternalProxy (in case there are other, future things that should also work at this level). Any suggestions on alternate directive names, different approaches, etc? Should the log threshold on that message stay warn, or move to info? Ideally, I wouldn't be applying a patch to our sources for the next several years. If such a configuration option isn't desired by the community, I'll just comment out the warning in our builds and be done with it. So, that would also be helpful feedback. Thanks in advance for any feedback, Rick Houser PGDS Web Administration (517)367-3516
