Reverse Proxy connections use the ServerName value in the server_name Client Hello SSL handshake. Tried both mod_proxy_http and mod_proxy_http2 connections with SSLProxyEngine enabled to a remote with valid certificate. When using SSLProxyCheckPeername Off, the chain validation is OK. Steps to Reproduce: > Define vhost external.example.com > Define NextHopHost https://internal.example.net > > <VirtualHost *:443> > ServerName https://${vhost} > SSLCertificateFile /etc/ssl/certs/${vhost}.pem > SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem > > LogLevel warn ssl_module:info > > SSLEngine On > Protocols h2 http/1.1 > > SSLProxyEngine On > SSLProxyCheckPeerCN on > > RequestHeader set ClientProtocol https > Header Unset Strict-Transport-Security > Header Always set Strict-Transport-Security "max-age=63072000" > > ProxyPass / ${NextHopUrl}/ > ProxyPassReverse / ${NextHopUrl}/ > </VirtualHost> The alternative with HTTP/2 fails similarly > Define NextHopHost h2://internal.example.net Expected result: Connection from the Apache server to `internal.example.net` with SNI (SSL Client Hello server_name extension) `internal.example.net`. Actual Result: Connection from the Apache server to `internal.example.net` with SNI `external.example.com` (in network capture). Chain validation fails and Apache returns a 502 error > *Proxy Error* > > The proxy server could not handle the request > Reason: *Error during SSL Handshake with remote server* Note: For HTTP/2 it returns a *503 Service Unavailable* From ErrorLog: > [Wed Nov 02 11:27:01.777115 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01964: Connection to child 0 established (server external.example.com:443) > [Wed Nov 02 11:27:01.796268 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH02411: SSL Proxy: Peer certificate does not match for hostname external.example.com > [Wed Nov 02 11:27:01.796502 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01998: Connection closed to child 0 with abortive shutdown (server external.example.com:443) > [Wed Nov 02 11:27:01.796699 2022] [ssl:info] [pid 21222:tid 140410820142784] [remote 192.168.0.2:443] AH01997: SSL handshake failed: sending 502 > [Wed Nov 02 11:27:01.796818 2022] [proxy:error] [pid 21222:tid 140410820142784] (20014)Internal error (specific information not available): [client 233.252.0.3:13994] AH01084: pass request body failed to 192.168.0.2:443 (internal.example.net), referer: https://www.example.com/ > [Wed Nov 02 11:27:01.796927 2022] [proxy:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH00898: Error during SSL Handshake with remote server returned by /acme.sh/index.html, referer: https://www.example.com/ > [Wed Nov 02 11:27:01.797042 2022] [proxy_http:error] [pid 21222:tid 140410820142784] [client 233.252.0.3:13994] AH01097: pass request body failed to 192.168.0.2:443 (internal.example.net) from 233.252.0.3 (), referer: https://www.example.com/ Note: Using HTTP/2 there's no proxy_http2 errors, only the ssl:info appears. Problem exists on: Ubuntu 22.04.1 / Apache 2.5.52 / OpenSSL 3.0.2 (Ubuntu repo) / Azure VM Ubuntu 22.10 / Apache 2.5.54 / OpenSSL 3.0.2 (Ubuntu repo)/ Azure VM Unable to reproduce on: Ubuntu 22.10 / Apache 2.5.54 from Ubuntu repo / WSL Fedora 37 / Apache 2.5.54 / VMWare FreeBSD 13.1 / Apache 2.5.56 / LibreSSL 3.5 / amd64 clang FreeBSD 13.1 / Apache 2.5.56 / OpenSSL 3.0.7 / amd64 clang Additional info: The server where the issue appears hosts ~200 VirtualHosts spread over 16 SAN Certificates. The SubjectAltNames for the ServerName is symlinked to the actual key/cert. Configuration is templated and uses `Define`s and `IfDefine` blocks to configure the VirtualHosts. Every external site has its own configuration file in sites-available (Debian layout). > Define vhost external.example.com > Define NextHopUrl https://internal.example.net > > Include templates/ProxyAll.conf > # ProxyAll.conf > <VirtualHost *:443> > ServerName ${vhost} > SSLCertificateFile /etc/ssl/certs/${vhost}.pem > SSLCertificateKeyFile /etc/ssl/private/${vhost}.pem > SSLProxyEngine On > <IfDefine AkamaiProtected> > Include templates/SiteShield.conf > </IfDefine> > <IfDefine IgnoreCertErr> > SSLProxyCheckPeerCN off > SSLProxyCheckPeerName off > SSLProxyCheckPeerExpire off > </IfDefine> > ProxyPass / ${NextHopUrl}/ > ... etc ... > </VirtualHost> Switching ProxyPreserveHost makes no difference.