Apache 2.4: SSL handshake not working correct for WebSockets?


I am using Apache as a "WebSocket Relay" that allows local clients to
connect to local ​Apache using "ws://" and Apache then maps this to
"wss://" and passes the request on to the actual serving backend.

I have defined a Virtual Host for this:
SSLProxyEngine On
ProxyRequests Off

<Proxy "*">
Order deny,allow
Deny from all
Allow from

ProxyPass /websocket/ wss://

So a local request to Apache for ws://​​websocket/would
end up in a request to wss://

I have also defined the following security option (amongst others):
SSLProxyCheckPeerCN on
SSLProxyCheckPeerName on
SSLProxyCheckPeerExpire on
SSLProxyCACertificateFile "/opt/apache2/mycert.pem"
SSLProxyVerify require
SSLProxyVerifyDepth 1

While Apache properly checks if the server provided certificate is
not expired and also matches mycert.pem it does not validate the
subject name or the subject alternative names.

This means when I map the IP address of in /etc/hosts,
to e.g. to, then Apache establishes a secure connection
to however it does not complain about the mismatch
of the hostname in the request ("") vs. the one in
the certificate provided during TLS session establishment ("

When I do the similar thing for HTTP (define Reverse Proxy which does
http-to-https mapping) then Apache corectly refuses the connection as

it realizes that name in certificate provided by server and hostname in

request URL do not match.

Is this a known issue/unimplemented feature or am I missing some
specific configuration here?



Re: Apache 2.4: SSL handshake not working correct

By MarkusG at 12/05/2017 - 08:36

​I looked a little bit deeper into this and found that this looks
like a missing implementation in mod_proxy_wstunnel.

The proxy_wstunnel_handler() (in modules/proxy/mod_proxy_wstunnel.c)
does not set the "proxy-request-hostname" when it creates the
connection to the backend. When the TLS handshake is done then
(in ssl_io_filter_handshake() (in modules/ssl/ssl_engine_io.c))
this causes the check to be omitted.

Looking into the HTTP Proxy implementation proxy_http_handler()
(of module/proxy/mod_proxy_http.c) sets this.

So I filed a bug that describes the issue in detail and proposes
a fix (which I already tested sucessfully):

Defect summary:
Security: Apache 2.4 not verifying URL hostname against certificate
in SSL handshake for WebSockets

2017-12-04 17:04 GMT+01:00 Markus Gausling < ... at googlemail dot com>: