> -----Ursprüngliche Nachricht----- > Von: Dirk-Willem van Gulik [mailto:[email protected]] > Gesendet: Mittwoch, 17. Februar 2016 12:34 > An: [email protected] > Betreff: Odd SSLProxyCheckPeerCN behaviour > > Was looking into a report that something could get a lift on websocket > with a specific AltSubject trickery; but got into jak shaving - where I > cannot work out why SSLProxyCheckPeerCN et.al. get ignored. The most > trivial config I could find to reproduce is: > > Listen 123.123.123.123:4321 > > <VirtualHost 123.123.123.123:4321> > ServerName test-websock-bypass.webweaving.org > LogLevel Debug > > SSLProxyEngine On > > SSLProxyCheckPeerCN off # Not using SSLProxyCheckPeerName > off > SSLProxyCheckPeerExpire off > SSLProxyVerify off > > > SSLProxyCACertificateFile …./proxy.pem > > ProxyPass / https://127.0.0.1:1234/ > ProxyPassReverse / https://127.0.0.1:1234/ > </VirtualHost> > > This getting tested with > > beeb:~ dirkx$ curl -vvvv https://123.123.123.123:4321/ > > giving us a > > 500 Proxy Error > > The proxy server could not handle the request <em><a > href="/">GET /</a></em>.<p> > Reason: <strong>Error during SSL Handshake with remote > server</strong></p><p /> > > However the log gives me: > > [Wed Feb 17 12:18:53.167903 2016] [ssl:debug] [pid 48233] > ssl_engine_kernel.c(1560): [remote 192.168.0.5:6045] AH02275: > Certificate Verification, depth 0, CRL checking mode: none [subject: > [email protected],CN=host.unknown,OU=root / issuer: > [email protected],CN=host.unknown,OU=root / serial: 2481 / > notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 2026 > GMT] > [Wed Feb 17 12:18:53.169458 2016] [ssl:debug] [pid 48233] > ssl_engine_kernel.c(2018): [remote 192.168.0.5:6045] AH02041: Protocol: > TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) > [Wed Feb 17 12:18:53.169508 2016] [ssl:debug] [pid 48233] > ssl_util_ssl.c(443): AH02412: [weser.webweaving.org:443] Cert does not > match for name '192.168.0.5' [subject: > [email protected],CN=host.unknown,OU=root / issuer: > [email protected],CN=host.unknown,OU=root / serial: 2481 / > notbefore: Feb 10 10:51:12 2016 GMT / notafter: Feb 7 10:51:12 2026 > GMT] > [Wed Feb 17 12:18:53.169524 2016] [ssl:info] [pid 48233] [remote > 192.168.0.5:6045] AH02411: SSL Proxy: Peer certificate does not match > for hostname 192.168.0.5 > [Wed Feb 17 12:18:53.169541 2016] [ssl:info] [pid 48233] [remote > 192.168.0.5:6045] AH01998: Connection closed to child 0 with abortive > shutdown (server weser.webweavin > > Now AFAIKS - AH02412 is fair game - that is in modssl_X509_match_name() > and the name does indeed not match. > > But I fail to understand the error on AH02411 — it is in ssl_engine_io.c > > if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) && > hostname_note) { > apr_table_unset(c->notes, "proxy-request-hostname"); > if (!cert > || modssl_X509_match_name(c->pool, cert, hostname_note, > TRUE, server) == FALSE) { > proxy_ssl_check_peer_ok = FALSE; > ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, > APLOGNO(02411) > "SSL Proxy: Peer certificate does not > match " > "for hostname %s", hostname_note); > } > } > else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && > hostname_note) { > const char *hostname; > int match = 0; > > So I am now wondering about this logic in case of no alternative > subject. And if superseding it was good enough - or if it should be
I guess I am missing your point. modssl_X509_match_name checks alternative subject and CN. So what is actually wrong here? Regards Rüdiger
