logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.




Mod_proxy SSL certificate verification

 
Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules



View previous topic :: View next topic  
Author Message
owensy



Joined: 15 Sep 2015
Posts: 4

PostPosted: Thu 17 Sep '15 17:41    Post subject: Mod_proxy SSL certificate verification Reply with quote

Hi

Can anyone explain how mod_proxy verifies the certificate when making a call out via SSL to an address, if it verifies them at all?

My config is as below, and it works...but im not sure the connection will be 100% secure if it doesnt verify the certificate it receives from the website.

If someone could clarify it for me that would be great, and suggest what im missing. I've tried googling it but all I could find was examples of calling into apache via https, rather apache calling out to an https link.

NameVirtualHost *:80
<VirtualHost *:80>
ServerName server1234
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
CacheDisable *
ProxyRemote * https://internetproxy:8080
ProxyPass /testssl https://examplehttpslink.com
ProxyPassReverse /testssl https://examplehttpslink.com
</VirtualHost>

Thanks
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6385
Location: Germany, Next to Hamburg

PostPosted: Sat 19 Sep '15 10:50    Post subject: Reply with quote

You can use

SSLProxyCheckPeerCN
SSLProxyCheckPeerName

You may check the manual http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn
Back to top
owensy



Joined: 15 Sep 2015
Posts: 4

PostPosted: Thu 24 Sep '15 17:38    Post subject: Reply with quote

Thanks for that James

I'm using SSLProxyCheckPeerCN and also SSLProxyCheckPeerExpire now.

I thought I'd go a step further and also use SSLProxyVerify require with SSLProxyCACertificateFile and the location of the crt file....however with this option enabled I get a 502 and the logs show "Certificate Verification: Error (19): self signed certificate in certificate chain", the calling sights certificates dont seem to be self signed, and nothing in my crt file are either....so I dont know where its getting this from??
Back to top
owensy



Joined: 15 Sep 2015
Posts: 4

PostPosted: Mon 28 Sep '15 16:45    Post subject: Reply with quote

I got to the bottom of this, the file my SSLProxyCACerficateFile was pointing to was completly wrong, so it made sense it would return an error to say it was self signed
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache third-party Modules
Page 1 of 1