does proxy_ssl_verify verify server name?

Maxim Dounin mdounin at mdounin.ru
Wed Feb 10 17:27:37 UTC 2016


Hello!

On Wed, Feb 10, 2016 at 04:25:06PM +0000, Richard Kearsley wrote:

> Hello
> I'm trying to enable this option on a proxy_pass location:
> 
>     proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
>     proxy_ssl_verify on;
>     proxy_ssl_verify_depth 9
> 
> /etc/ssl/certs/ca-certificates.crt is compiled by update-ca-certificates (http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html)
> 
> My understanding is that this option will prevent, for example, self-signed
> certificates or certificates where the server name requested is different
> than in the certificate, is that correct?

Yes.

> I have tried it and while it works for self-signed (returns 502) it still
> lets a non matching server name through the proxy (properly signed
> certificate, but wrong name)

Please provide an example.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list