Bug#813822: Update on the status

To: 813822@bugs.debian.org
Subject: Bug#813822: Update on the status
From: Santiago Garcia Mantinan <manty@debian.org>
Date: Wed, 16 Mar 2016 15:37:06 +0100
Message-id: <[🔎] 20160316143706.GA21707@www.manty.net>
Reply-to: Santiago Garcia Mantinan <manty@debian.org>, 813822@bugs.debian.org

After sending the patch I did more tests with different backend real servers
and found out that apache 2.4 as a server doesn't like to be asked for a SNI
hostname different than the hostname on the Host header and gives an error.

I've found a more complete patch available here:
https://bz.apache.org/bugzilla/show_bug.cgi?id=54656

But the discussion seems to have ended there, for what I see, if you want
ProxyPreserveHost you must have the frontend certs available at the backend,
at least with apache backend servers, as that's how they are implementing
this, the Host header must match the certificate name.

Before SNI on apache you could have a backend server with its own
certificate serving a Host of another domain, but this is no longer allowed. 
I really think they should think about this again, IMHO the backend server
should allow a mismatch if they are coming through a proxy or if a directive
tells it to do so, something like SSLStrictSNIVHostCheck but that relaxes
the check.  Not allowing this will mean that people won't check or use
certificates from the frontend to the backend, which means lower security
:-(

Regards.
-- 
Manty/BestiaTester -> http://manty.net

Reply to:

Prev by Date: They kill with wars, alcohol and abortions. Save us!!!
Next by Date: Bug#798430: apache2: please add systemd service file
Previous by thread: They kill with wars, alcohol and abortions. Save us!!!
Next by thread: Bug#798430: apache2: please add systemd service file
Index(es):
- Date
- Thread