From: Kaspar Brand
Description: | Whether to check the remote server certificates CN field + |
---|---|
Description: | Whether to check the remote server certificate's CN field |
Syntax: | SSLProxyCheckPeerCN on|off |
Default: | SSLProxyCheckPeerCN on |
Module: | mod_ssl |
-This directive sets whether the remote server certificates CN field is +This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a 502 status code (Bad Gateway) is sent.
+
+SSLProxyCheckPeerCN has been superseded by
+SSLProxyCheckPeerName
, and its
+setting is only taken into account when
+SSLProxyCheckPeerName off
is specified at the same time.
+
SSLProxyCheckPeerCN on@@ -1458,6 +1465,36 @@ SSLProxyCheckPeerExpire on
Description: | Configure host name checking for remote server certificates + |
---|---|
Syntax: | SSLProxyCheckPeerName on|off |
Default: | SSLProxyCheckPeerName on |
Context: | server config, virtual host |
Status: | Extension |
Module: | mod_ssl |
+This directive configures host name checking for server certificates
+when mod_ssl is acting as an SSL client. The check will
+succeed if the host name from the request URI is found in
+either the subjectAltName extension or (one of) the CN attribute(s)
+in the certificate's subject. If the check fails, the SSL request
+is aborted and a 502 status code (Bad Gateway) is returned.
+The directive supersedes SSLProxyCheckPeerCN
,
+which only checks for the expected host name in the first CN attribute.
+
+Wildcard matching is supported in one specific flavor: subjectAltName entries
+of type dNSName or CN attributes starting with *.
will match
+for any DNS name with the same number of labels and the same suffix
+(i.e., *.example.org
matches for foo.example.org
,
+but not for foo.bar.example.org
).
+
TRACE
requestsmime.types
fileTRACE
requestsmime.types
fileAvailable Languages: de |