Does proxy_ssl_verify verify server name?

Hello
I’m trying to enable this option on a proxy_pass location:

 proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
 proxy_ssl_verify on;
 proxy_ssl_verify_depth 9

/etc/ssl/certs/ca-certificates.crt is compiled by update-ca-certificates
(http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html)

My understanding is that this option will prevent, for example,
self-signed certificates or certificates where the server name requested
is different than in the certificate, is that correct?

I have tried it and while it works for self-signed (returns 502) it
still lets a non matching server name through the proxy (properly signed
certificate, but wrong name)

Thanks
Richard

Hello!

On Wed, Feb 10, 2016 at 04:25:06PM +0000, Richard K. wrote:

certificates or certificates where the server name requested is different
than in the certificate, is that correct?

Yes.

I have tried it and while it works for self-signed (returns 502) it still
lets a non matching server name through the proxy (properly signed
certificate, but wrong name)

Please provide an example.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs