Topic: Mod_proxy SSL certificate verification

[owensy]

Hi

Can anyone explain how mod_proxy verifies the certificate when making a call out via SSL to an address, if it verifies them at all?

My config is as below, and it works...but im not sure the connection will be 100% secure if it doesnt verify the certificate it receives from the website.

If someone could clarify it for me that would be great, and suggest what im missing. I've tried googling it but all I could find was examples of calling into apache via https, rather apache calling out to an https link.

NameVirtualHost *:80
<VirtualHost *:80>
ServerName server1234
SSLProxyEngine On
RequestHeader set Front-End-Https "On"
CacheDisable *
ProxyRemote * https://internetproxy:8080
ProxyPass /testssl https://examplehttpslink.com
ProxyPassReverse /testssl https://examplehttpslink.com
</VirtualHost>

Thanks

[James Blond]

You can use

SSLProxyCheckPeerCN
SSLProxyCheckPeerName

You may check the manual http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslproxycheckpeercn

[owensy]

Thanks for that James

I'm using SSLProxyCheckPeerCN and also SSLProxyCheckPeerExpire now.

I thought I'd go a step further and also use SSLProxyVerify require with SSLProxyCACertificateFile and the location of the crt file....however with this option enabled I get a 502 and the logs show "Certificate Verification: Error (19): self signed certificate in certificate chain", the calling sights certificates dont seem to be self signed, and nothing in my crt file are either....so I dont know where its getting this from??

[owensy]

I got to the bottom of this, the file my SSLProxyCACerficateFile was pointing to was completly wrong, so it made sense it would return an error to say it was self signed