On Wed, Sep 19, 2018 at 6:39 AM Stefan Eissing <stefan.eiss...@greenbytes.de> wrote:
> > > Am 18.09.2018 um 15:44 schrieb Houser, Rick <rick.hou...@jackson.com>: > > > > In the same vein, I’ve been running this patch on our builds to get > around a warning for certificates not matching the hostname. Certificates > are not expected to match the hostname with many load balancing/uptime > detection schemes, and this one logs a LOT when it trips on every vhost. > Perhaps this patch should share the same fate as decided for the TLS > missing SNI issue? > > Not sure I understand your setup here. Is this the ServerName from the > global server? Otherwise, in a VirtualHost why would you not set the > ServerName to the hostname you are serving? Envision a TCP load balancer routing TLS-crypted traffic across a number of internal hosts, with each of the named virtual hosts presenting the correct certificate, and known to httpd by their ServerAlias on the outer-facing interface. Not terminated at the edge balancer. There is the issue of keeping TLS session key encoding in sync across the backends, obviously.