does proxy_ssl_verify verify server name?
Richard Kearsley
richard at kearsley.me
Wed Feb 10 16:25:06 UTC 2016
Hello
I'm trying to enable this option on a proxy_pass location:
proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 9
/etc/ssl/certs/ca-certificates.crt is compiled by update-ca-certificates
(http://manpages.ubuntu.com/manpages/trusty/man8/update-ca-certificates.8.html)
My understanding is that this option will prevent, for example,
self-signed certificates or certificates where the server name requested
is different than in the certificate, is that correct?
I have tried it and while it works for self-signed (returns 502) it
still lets a non matching server name through the proxy (properly signed
certificate, but wrong name)
Thanks
Richard
More information about the nginx
mailing list