66336 – Wrong SNI name in proxy connections

Bug 66336 - Wrong SNI name in proxy connections

Summary: Wrong SNI name in proxy connections

Status:	NEW

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_proxy_http (show other bugs)
Version:	2.4.54
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-11-02 12:21 UTC by Bernard Spil
Modified:	2022-11-02 12:21 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bernard Spil 2022-11-02 12:21:46 UTC

Reverse Proxy connections use the ServerName value in the server_name Client Hello SSL handshake.

Tried both mod_proxy_http and mod_proxy_http2 connections with SSLProxyEngine enabled to a remote with valid certificate.
When using SSLProxyCheckPeername Off, the chain validation is OK.

Steps to Reproduce: 

> Define vhost external.example.com
> Define NextHopHost https://internal.example.net
> 
> <VirtualHost *:443>
>     ServerName  https://${vhost}
>     SSLCertificateFile    /etc/ssl/certs/${vhost}.pem
>     SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem   
>
>     LogLevel warn ssl_module:info 
>     
>     SSLEngine On
>     Protocols h2 http/1.1
> 
>     SSLProxyEngine On
>     SSLProxyCheckPeerCN on
>     
>     RequestHeader set ClientProtocol https
>     Header Unset Strict-Transport-Security
>     Header Always set Strict-Transport-Security "max-age=63072000"
>     
>     ProxyPass        / ${NextHopUrl}/
>     ProxyPassReverse / ${NextHopUrl}/
> </VirtualHost>

The alternative with HTTP/2 fails similarly
> Define NextHopHost h2://internal.example.net

Expected result:
Connection from the Apache server to `internal.example.net` with SNI (SSL Client Hello server_name extension) `internal.example.net`.

Actual Result:
Connection from the Apache server to `internal.example.net` with SNI `external.example.com` (in network capture). Chain validation fails and Apache returns a 502 error

> *Proxy Error*
> 
> The proxy server could not handle the request
> Reason: *Error during SSL Handshake with remote server*

Note: For HTTP/2 it returns a *503 Service Unavailable*

From ErrorLog:

> [Wed Nov 02 11:27:01.777115 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01964: Connection to child 0 established (server external.example.com:443)
> [Wed Nov 02 11:27:01.796268 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH02411: SSL Proxy: Peer certificate does not match for hostname external.example.com
> [Wed Nov 02 11:27:01.796502 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01998: Connection closed to child 0 with abortive shutdown (server external.example.com:443)
> [Wed Nov 02 11:27:01.796699 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01997: SSL handshake failed: sending 502
> [Wed Nov 02 11:27:01.796818 2022] [proxy:error] [pid 21222:tid 140410820142784] (20014)Internal error (specific information not available): [client 233.252.0.3:13994] AH01084: pass request body failed to 192.168.0.2:443 (internal.example.net), referer: https://www.example.com/
> [Wed Nov 02 11:27:01.796927 2022] [proxy:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH00898: Error during SSL Handshake with remote server returned by /acme.sh/index.html, referer: https://www.example.com/
> [Wed Nov 02 11:27:01.797042 2022] [proxy_http:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH01097: pass request body failed to 192.168.0.2:443 (internal.example.net) from 233.252.0.3 (), referer: https://www.example.com/

Note: Using HTTP/2 there's no proxy_http2 errors, only the ssl:info appears.

Problem exists on:
Ubuntu 22.04.1 / Apache 2.5.52 / OpenSSL 3.0.2 (Ubuntu repo) / Azure VM
Ubuntu 22.10 / Apache 2.5.54 / OpenSSL 3.0.2 (Ubuntu repo)/ Azure VM

Unable to reproduce on:
Ubuntu 22.10 / Apache 2.5.54 from Ubuntu repo / WSL
Fedora 37 / Apache 2.5.54 / VMWare
FreeBSD 13.1 / Apache 2.5.56 / LibreSSL 3.5 / amd64 clang
FreeBSD 13.1 / Apache 2.5.56 / OpenSSL 3.0.7 / amd64 clang

Additional info:
The server where the issue appears hosts ~200 VirtualHosts spread over 16 SAN Certificates.
The SubjectAltNames for the ServerName is symlinked to the actual key/cert.
Configuration is templated and uses `Define`s and `IfDefine` blocks to configure the VirtualHosts. Every external site has its own configuration file in sites-available (Debian layout).

> Define vhost external.example.com
> Define NextHopUrl https://internal.example.net
>
> Include templates/ProxyAll.conf

> # ProxyAll.conf
> <VirtualHost *:443>
>   ServerName ${vhost}
>   SSLCertificateFile    /etc/ssl/certs/${vhost}.pem
>   SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem
>   SSLProxyEngine On
> <IfDefine AkamaiProtected>
>   Include templates/SiteShield.conf
> </IfDefine>
> <IfDefine IgnoreCertErr>
>   SSLProxyCheckPeerCN off
>   SSLProxyCheckPeerName off
>   SSLProxyCheckPeerExpire off
> </IfDefine>
>   ProxyPass / ${NextHopUrl}/
> ... etc ...
> </VirtualHost>

Switching ProxyPreserveHost makes no difference.