On Mon, Mar 06, 2000, Gsandtner Michael wrote:
> My situation:
> browser <-https-> proxy <-https-> SSL Server
>
> A RewriteRule on proxy (mod_ssl+mod_proxy):
> RewriteRule ^/(.*) https://server.intern/$1 [P]
>
> mod_proxy/mod_ssl acts as a SSL client.
> How I can control on proxy , whether the connected SSL server (in the
> example server.intern) is trusted or not ?
> mod_ssl on proxy seems to accept any (not expired) certificate from
> server.intern, not doing the checks a browser does, as they are
> - "Certifcate Subject CN" identical to "server name" from URL
> - a trusted CA in the chain of certificate presented by server
> (SSLCACertificatePath seems only to effect Client authentication)
For this backend server authentication you need the latest
mod_ssl 2.6 and build the enhanced HTTPS proxy support by using
--enable-rule=SSL_EXPERIMENTAL. Then you've a few additional
SSLProxyXXXX directives available which are similar to SSLXXXX for the
HTTPS proxy situation and which can be used for verifying the backend
server.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
