does proxy_ssl_verify verify server name?

Richard Kearsley richard at
Wed Feb 10 16:25:06 UTC 2016

I'm trying to enable this option on a proxy_pass location:

     proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
     proxy_ssl_verify on;
     proxy_ssl_verify_depth 9

/etc/ssl/certs/ca-certificates.crt is compiled by update-ca-certificates 

My understanding is that this option will prevent, for example, 
self-signed certificates or certificates where the server name requested 
is different than in the certificate, is that correct?

I have tried it and while it works for self-signed (returns 502) it 
still lets a non matching server name through the proxy (properly signed 
certificate, but wrong name)


More information about the nginx mailing list