A backend api team asked me to create a proxy to their service on aws and to secure the backend connection with mutual TLS. I noticed right away, they have not configured TLS correctly. They used a certificate issued to other backend services we have, where the cert has a wildcard like "CN=*.mycompany.com". This team didn't create a custom DNS name, so their host name is like "whatever.amazonaws.com".

If you open their host in a browser it says "Not Secure". It crosses out the "HTTPS" and shows an error message "NET::ERR_CERT_COMMON_NAME_INVALID." You can click the 'advanced' option and proceed anyway.. but this is certainly a bad practice.

Also, if you try to curl their backend, it gives an error "SSL: no alternative certificate subject name matches target host name." You can add "--insecure" and then curl allows a connection, but again, this is a bad practice.

Anyway, I created a proxy (on Edge cloud) and was surprised to see that Apigee doesn't care about the SSL error and made a successful request!

I don't want to enable connections to servers with misconfigured TLS, so any thoughts on how can I prevent this?

For reference, here is the targetServer definiton I used.

	{
        "name": "targetServer",
        "host": "whatever.amazonaws.com",
        "isEnabled": true,
        "port": 443,
        "sSLInfo": {
            "ciphers": [],
            "clientAuthEnabled": "true",
            "enabled": "true",
            "ignoreValidationErrors": false,
            "protocols": [],
            "trustStore":"ref://trustStore-outbound-test-ref",
            "keyStore":"ref://keystore-outbound-test-ref", 
            "keyAlias": "keystore-outbound-test" 
        }
    }