Was looking into a report that something could get a lift on websocket with a
specific AltSubject trickery; but got into jak shaving - where I cannot work
out why SSLProxyCheckPeerCN et.al. get ignored. The most trivial config I could
find to reproduce is:
Listen 123.123.123.123:4321
<VirtualHost 123.123.123.123:4321>
ServerName test-websock-bypass.webweaving.org
LogLevel Debug
SSLProxyEngine On
SSLProxyCheckPeerCN off # Not using SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLProxyVerify off
SSLProxyCACertificateFile …./proxy.pem
ProxyPass / https://127.0.0.1:1234/
ProxyPassReverse / https://127.0.0.1:1234/
</VirtualHost>
This getting tested with
beeb:~ dirkx$ curl -vvvv https://123.123.123.123:4321/
giving us a
500 Proxy Error
The proxy server could not handle the request <em><a
href="/">GET /</a></em>.<p>
Reason: <strong>Error during SSL Handshake with remote
server</strong></p><p />
However the log gives me:
[Wed Feb 17 12:18:53.167903 2016] [ssl:debug] [pid 48233]
ssl_engine_kernel.c(1560): [remote 192.168.0.5:6045] AH02275: Certificate
Verification, depth 0, CRL checking mode: none [subject:
[email protected],CN=host.unknown,OU=root / issuer:
[email protected],CN=host.unknown,OU=root / serial: 2481 /
notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 2026 GMT]
[Wed Feb 17 12:18:53.169458 2016] [ssl:debug] [pid 48233]
ssl_engine_kernel.c(2018): [remote 192.168.0.5:6045] AH02041: Protocol:
TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
[Wed Feb 17 12:18:53.169508 2016] [ssl:debug] [pid 48233] ssl_util_ssl.c(443):
AH02412: [weser.webweaving.org:443] Cert does not match for name '192.168.0.5'
[subject: [email protected],CN=host.unknown,OU=root / issuer:
[email protected],CN=host.unknown,OU=root / serial: 2481 /
notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 2026 GMT]
[Wed Feb 17 12:18:53.169524 2016] [ssl:info] [pid 48233] [remote
192.168.0.5:6045] AH02411: SSL Proxy: Peer certificate does not match for
hostname 192.168.0.5
[Wed Feb 17 12:18:53.169541 2016] [ssl:info] [pid 48233] [remote
192.168.0.5:6045] AH01998: Connection closed to child 0 with abortive shutdown
(server weser.webweavin
Now AFAIKS - AH02412 is fair game - that is in modssl_X509_match_name() and the
name does indeed not match.
But I fail to understand the error on AH02411 — it is in ssl_engine_io.c
if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
hostname_note) {
apr_table_unset(c->notes, "proxy-request-hostname");
if (!cert
|| modssl_X509_match_name(c->pool, cert, hostname_note,
TRUE, server) == FALSE) {
proxy_ssl_check_peer_ok = FALSE;
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02411)
"SSL Proxy: Peer certificate does not match "
"for hostname %s", hostname_note);
}
}
else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
hostname_note) {
const char *hostname;
int match = 0;
So I am now wondering about this logic in case of no alternative subject. And
if superseding it was good enough - or if it should be totally removed. OR if
this check needs to become an either/or check if there is no subject
alternative).
Dw
