From: Joe Orton <jorton@apache.org>
Date: Thu, 1 Sep 2005 14:49:12 +0000 (+0000)
Subject: Introduce SSLProxyVerify better.  Add a warning note on exactly
X-Git-Tag: 2.3.0~3024
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=579ef38a3efd2f953214b84c5a9b8a816a7fb859;p=apache

Introduce SSLProxyVerify better.  Add a warning note on exactly
what verification is done by the proxy in the proxy-to-SSL-server
case.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@265741 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index e35b9a5383..f97a5584dc 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1390,14 +1390,29 @@ SSLProxyMachineCertificateFile /usr/local/apache2/conf/ssl.crt/proxy.pem
 <override>AuthConfig</override>
 
 <usage>
-<p>
-This directive sets the Certificate verification level for the remote server
-Authentication. Notice that this directive can be used both in per-server and
-per-directory context. In per-server context it applies to the remote server
-authentication process used in the standard SSL handshake when a connection is
-established. In per-directory context it forces a SSL renegotation with the
-reconfigured remote server verification level after the HTTP request was read but
-before the HTTP response is sent.</p>
+
+<p>When a proxy is configured to forward requests to a remote SSL
+server, this directive can be used to configure certificate
+verification of the remote server.  Notice that this directive can be
+used both in per-server and per-directory context. In per-server
+context it applies to the remote server authentication process used in
+the standard SSL handshake when a connection is established by the
+proxy. In per-directory context it forces a SSL renegotation with the
+reconfigured remote server verification level after the HTTP request
+was read but before the HTTP response is sent.</p>
+
+<note type="warning">
+<p>Note that even when certificate verification is enabled,
+<module>mod_ssl</module> does <strong>not</strong> check whether the
+<code>commonName</code> (hostname) attribute of the server certificate
+matches the hostname used to connect to the server.  In other words,
+the proxy does not guarantee that the SSL connection to the backend
+server is "secure" beyond the fact that the certificate is signed by
+one of the CAs configured using the
+<directive>SSLProxyCACertificatePath</directive> and/or
+<directive>SSLProxyCACertificateFile</directive> directives.</p>
+</note>
+
 <p>
 The following levels are available for <em>level</em>:</p>
 <ul>