Bug 64352 - Add an equivalent of SSLOpenSSLConfCmd for proxy HTTPS connections
Summary: Add an equivalent of SSLOpenSSLConfCmd for proxy HTTPS connections
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-15 10:09 UTC by Fiona Klute
Modified: 2020-04-15 10:09 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Fiona Klute 2020-04-15 10:09:22 UTC
I need to use Apache HTTPD in a reverse proxy configuration, with HTTPS connections to the backend servers. The problem is that the backend servers must use ECDSA certificates using Brainpool curves, which are not enabled by default in OpenSSL.

When using HTTPD as the server, I can enable the needed Brainpool curves using the SSLOpenSSLConfCmd directive (e.g. SSLOpenSSLConfCmd Curves brainpoolP384r1:brainpoolP256r1) but currently there is no such options to configure proxy connections where mod_ssl acts as the TLS client. Because of this mod_ssl always rejects the server certificate, even with the default "SSLProxyVerify none" setting.

In line with the existing directives I'm proposing a SSLProxyOpenSSLConfCmd directive to solve that problem. I've made a pull request on Github:

https://github.com/apache/httpd/pull/105

This works for me as is, but I'm happy to make adjustments if requested.