* Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives to enable

stricter checking of remote server certificates. (docs/manual/mod/mod_ssl.xml) Documentation of SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. (modules/proxy/mod_proxy_http.c) Set the hostname of the request URL as note on the connection. (modules/ssl/ssl_private.h) Add proxy_ssl_check_peer_expire and proxy_ssl_check_peer_cn fields to the SSLSrvConfigRec. (modules/ssl/ssl_engine_config.c) Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. (modules/ssl/ssl_engine_io.c) Check whether the remote servers certificate is expired / if there is a mismatch between the requested hostanme and the remote server certificates CN field. Be able to parse ASN1 times. (modules/ssl/mod_ssl.c) Directives stuff for SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@760866 13f79535-47bb-0310-9956-ffa450edef68
2025-08-08 15:02:10 +03:00 · 2009-04-01 12:07:47 +00:00
parent 23ac01a833
commit e468a9fae6
7 changed files with 155 additions and 0 deletions
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -166,6 +166,10 @@ static const command_rec ssl_config_cmds[] = {
    SSL_CMD_SRV(ProxyMachineCertificatePath, TAKE1,
               "SSL Proxy: directory containing client certificates "
               "(`/path/to/dir' - contains PEM encoded certificates)")
+    SSL_CMD_SRV(ProxyCheckPeerExpire, FLAG,
+                "SSL Proxy: check the peers certificate expiration date")
+    SSL_CMD_SRV(ProxyCheckPeerCN, FLAG,
+                "SSL Proxy: check the peers certificate CN")

    /*
     * Per-directory context configuration directives