Bug#813822: Update on the status
After sending the patch I did more tests with different backend real servers
and found out that apache 2.4 as a server doesn't like to be asked for a SNI
hostname different than the hostname on the Host header and gives an error.
I've found a more complete patch available here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54656
But the discussion seems to have ended there, for what I see, if you want
ProxyPreserveHost you must have the frontend certs available at the backend,
at least with apache backend servers, as that's how they are implementing
this, the Host header must match the certificate name.
Before SNI on apache you could have a backend server with its own
certificate serving a Host of another domain, but this is no longer allowed.
I really think they should think about this again, IMHO the backend server
should allow a mismatch if they are coming through a proxy or if a directive
tells it to do so, something like SSLStrictSNIVHostCheck but that relaxes
the check. Not allowing this will mean that people won't check or use
certificates from the frontend to the backend, which means lower security
:-(
Regards.
--
Manty/BestiaTester -> http://manty.net
Reply to: