Re: minor nit in mod_ssl

Thu, 20 Sep 2018 02:03:01 -0700 


> Am 19.09.2018 um 17:17 schrieb William A Rowe Jr <[email protected]>:
> 
> On Wed, Sep 19, 2018 at 6:39 AM Stefan Eissing <[email protected]> 
> wrote:
> 
> > Am 18.09.2018 um 15:44 schrieb Houser, Rick <[email protected]>:
> > 
> > In the same vein, I’ve been running this patch on our builds to get around 
> > a warning for certificates not matching the hostname.  Certificates are not 
> > expected to match the hostname with many load balancing/uptime detection 
> > schemes, and this one logs a LOT when it trips on every vhost.  Perhaps 
> > this patch should share the same fate as decided for the TLS missing SNI 
> > issue?
> 
> Not sure I understand your setup here. Is this the ServerName from the global 
> server? Otherwise, in a VirtualHost why would you not set the ServerName to 
> the hostname you are serving?
> 
> Envision a TCP load balancer routing TLS-crypted traffic across a number 
> of internal hosts, with each of the named virtual hosts presenting the correct
> certificate, and known to httpd by their ServerAlias on the outer-facing 
> interface.
> Not terminated at the edge balancer.
> 
> There is the issue of keeping TLS session key encoding in sync across 
> the backends, obviously.

Yes, I can see that. But the mentioned APLOG_WARN only triggers for 
s->server_hostname, not the Alias list. 

I therefore imagine the setup to be like:

tcp-balancer (x.domain.org)
  - host a.internal.net
      <VirtualHost *:443>
        ServerName a.internal.net
        ServerAlias x.domain.org
        SSLCertificateFile cert-for-x.domain.org.pem
      </VirtualHost>

  - host b.internal.net
      <VirtualHost *:443>
        ServerName b.internal.net
        ServerAlias x.domain.org
        SSLCertificateFile cert-for-x.domain.org.pem
      </VirtualHost>

and maybe that is nicer than writing
      <VirtualHost *:443>
        ServerName x.domain.org
        ServerAlias b.internal.net
        SSLCertificateFile cert-for-x.domain.org.pem
      </VirtualHost>

or it has side-effects that I do not understand. Or, the config is like:
      SSLCertificateFile cert-for-x.domain.org.pem
      <VirtualHost *:443>
        ServerName b.internal.net
      </VirtualHost>
      <VirtualHost *:443>
        ServerName x.domain.org
      </VirtualHost>

Any way, I would like to understand the issue before removing the
APLOG_WARN about non-matching certificates. Which is a valid warning
and can prevent debug frustration.

Rick, can you help me out here?

-Stefan





















					Reply via email to