mod_proxy now sets the requested remote host name. Use this to compare
to the CN value of the peer certificate and reject the request if they
do not match (and we are have NSSProxyCheckPeerCN set to on).
diff -u --recursive mod_nss-1.0.8.orig/docs/mod_nss.html mod_nss-1.0.8/docs/mod_nss.html
--- mod_nss-1.0.8.orig/docs/mod_nss.html 2006-09-05 10:58:56.000000000 -0400
+++ mod_nss-1.0.8/docs/mod_nss.html 2010-05-13 11:25:42.000000000 -0400
@@ -1028,7 +1028,21 @@
Example
-NSSProxyNickname beta
+NSSProxyNickname beta
NSSProxyCheckPeerCN
+
+
+
+Compare the CN value of the peer certificate with the hostname being
+requested. If this is set to on, the default, then the request will
+fail if they do not match. If this is set to off then this comparison
+is not done. Note that this test is your only protection against a
+man-in-the-middle attack so leaving this as on is strongly recommended.
+
+Example
+
+NSSProcyCheckPeerCN
+on
+
1038,1039c1038,1039
-< APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *));
-< APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
----
-> APR_DECLARE_OPTIONAL_FN(int, nss_proxy_enable, (conn_rec *));
-> APR_DECLARE_OPTIONAL_FN(int, nss_engine_disable, (conn_rec *));
-1041,1042c1041,1042
-< static APR_OPTIONAL_FN_TYPE(ssl_proxy_enable) *proxy_ssl_enable =
-NULL;
-< static APR_OPTIONAL_FN_TYPE(ssl_engine_disable) *proxy_ssl_disable
-= NULL;
----
-> static APR_OPTIONAL_FN_TYPE(nss_proxy_enable) *proxy_ssl_enable =
-NULL;
-> static APR_OPTIONAL_FN_TYPE(nss_engine_disable) *proxy_ssl_disable
-= NULL;
-1069,1070c1069,1070
-< proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_proxy_enable);
-< proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(ssl_engine_disable);
----
-> proxy_ssl_enable =
-APR_RETRIEVE_OPTIONAL_FN(nss_proxy_enable);
-> proxy_ssl_disable =
-APR_RETRIEVE_OPTIONAL_FN(nss_engine_disable);
-