osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: minor nit in mod_ssl


On Wed, Sep 19, 2018 at 6:39 AM Stefan Eissing <stefan.eissing@xxxxxxxxxxxxx> wrote:

> Am 18.09.2018 um 15:44 schrieb Houser, Rick <rick.houser@xxxxxxxxxxx>:
>
> In the same vein, I’ve been running this patch on our builds to get around a warning for certificates not matching the hostname.  Certificates are not expected to match the hostname with many load balancing/uptime detection schemes, and this one logs a LOT when it trips on every vhost.  Perhaps this patch should share the same fate as decided for the TLS missing SNI issue?

Not sure I understand your setup here. Is this the ServerName from the global server? Otherwise, in a VirtualHost why would you not set the ServerName to the hostname you are serving?

Envision a TCP load balancer routing TLS-crypted traffic across a number 
of internal hosts, with each of the named virtual hosts presenting the correct
certificate, and known to httpd by their ServerAlias on the outer-facing interface.
Not terminated at the edge balancer.

There is the issue of keeping TLS session key encoding in sync across 
the backends, obviously.