Can't turn off SNI on apache
As far as I can tell from looking at the Apache source code, you can't do that with any Apache configuration option. You MUST send a Host: header matching what was sent via SNI for Apache to accept it.
RFC 6066 section 11.1 specifies that web servers MUST check that the Host: header and host name sent via SNI match.
As a practical matter, any software speaking HTTP that was produced in the last 15 years or so should be sending the Host: header with every request. If you actually have something that isn't, it's either too ancient to still be on the Internet, or broken.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
When I go to: http://web-sniffer.net/ and check the headers of my site (https://www.example.org), I get a status code 200
But when I use the radio button HTTP/1.0 (without Host header), I get a status code 400 (Bad Request).
My apache log says "Hostname www.example.org provided via SNI, but no hostnmae provided in HTTP request"
I read that to make it work I need to turn off the directive "SSLStrictSNIVHostCheck" in my apache conf file.
I added this directive, but am still getting status code 400 when making a HTTP/1.0 (without Host Header)
For reference, this is my ports.conf file:
ServerName www.example.org NameVirtualHost *:80 Listen 10.0.0.1:80 <IfModule mod_ssl.c> # If you add NameVirtualHost *:443 here, you will also have to change # the VirtualHost statement in /etc/apache2/sites-available/default-ssl # to <VirtualHost *:443> # Server Name Indication for SSL named virtual hosts is currently not # supported by MSIE on Windows XP. Listen 443 NameVirtualHost *:443 SSLStrictSNIVHostCheck off </IfModule> <IfModule mod_gnutls.c> Listen 443 </IfModule>
This is my default-ssl file:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName www.example.org ServerAdmin [email protected] SSLStrictSNIVHostCheck off Alias /static /home/ubuntu/public_html/static <Directory /home/ubuntu/public_html/static> Order deny,allow Allow from all </Directory> Alias /media /home/ubuntu/public_html/media <Directory /home/ubuntu/public_html/media > Order deny,allow Allow from all </Directory> WSGIScriptAlias / /home/ubuntu/public_html/apache.wsgi ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/ssl/crt/example_org.crt SSLCertificateKeyFile /etc/ssl/crt/server.key SSLCertificateChainFile /etc/ssl/crt/ca.crt SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory /usr/lib/cgi-bin> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-6]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </IfModule>