Hello @Rafael Campos ,
I understand that you had a Qualys scan on your Application gateway WAF and found a vulnerability like "SSL Certificate – Signature verification Failed Vulnerability and SSL Certificate – Subject Common Name Does Not Match server FQDN" and would like to know more information about this vulnerability.
The SSL related issues/vulnerabilities are very likely related to your certificate in the backend server/pool of Application gateway.
I've seen the below Qualys scan vulnerability which advises to fix this issue by installing a server certificate whose Subject commonName or subjectAltName matches the server FQDN.
Title:
SSL Certificate - Subject Common Name Does Not Match Server FQDN
Threat:
An SSL Certificate associates an entity (person, organization, host, etc.) with a Public Key. In an SSL connection, the client authenticates the remote server using the server's Certificate and extracts the Public Key in the Certificate to establish the secure connection.
A certificate whose Subject commonName or subjectAltName does not match the server FQDN offers only encryption without authentication.
Please note that a false positive reporting of this vulnerability is possible in the following case:
If the common name of the certificate uses a wildcard such as *.somedomainname.com
and the reverse DNS resolution of the target IP is not configured. In this case there is no way for Qualys to associate the wildcard common name to the IP. Adding a reverse DNS lookup entry to the target IP will solve this problem.
Impact:
A man-in-the-middle attacker can exploit this vulnerability in tandem with a DNS cache poisoning attack to lure the client to another server, and then steal all the encryption communication.
Solution:
Please install a server certificate whose Subject commonName or subjectAltName matches the server FQDN.
For more information and how to fix the invalid common name issue for Application gateway, you could follow the below troubleshooting doc:
https://video2.skills-academy.com/en-us/azure/application-gateway/application-gateway-backend-health-troubleshooting#backend-certificate-invalid-common-name-cn
Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.