Can't turn off SNI on apache

apache-2.2 http-headers sni
5,471

As far as I can tell from looking at the Apache source code, you can't do that with any Apache configuration option. You MUST send a Host: header matching what was sent via SNI for Apache to accept it.

RFC 6066 section 11.1 specifies that web servers MUST check that the Host: header and host name sent via SNI match.

As a practical matter, any software speaking HTTP that was produced in the last 15 years or so should be sending the Host: header with every request. If you actually have something that isn't, it's either too ancient to still be on the Internet, or broken.

Share:
5,471

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin almost 2 years

    When I go to: http://web-sniffer.net/ and check the headers of my site (https://www.example.org), I get a status code 200

    But when I use the radio button HTTP/1.0 (without Host header), I get a status code 400 (Bad Request).

    My apache log says "Hostname www.example.org provided via SNI, but no hostnmae provided in HTTP request"

    I read that to make it work I need to turn off the directive "SSLStrictSNIVHostCheck" in my apache conf file.

    I added this directive, but am still getting status code 400 when making a HTTP/1.0 (without Host Header)

    For reference, this is my ports.conf file:

    ServerName www.example.org

NameVirtualHost *:80
Listen 10.0.0.1:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
    NameVirtualHost *:443
    SSLStrictSNIVHostCheck off
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

    This is my default-ssl file:

    <IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.example.org
    ServerAdmin [email protected]
    SSLStrictSNIVHostCheck off


    Alias /static /home/ubuntu/public_html/static
    <Directory /home/ubuntu/public_html/static>
        Order deny,allow
        Allow from all
</Directory>

Alias /media /home/ubuntu/public_html/media
<Directory /home/ubuntu/public_html/media >
        Order deny,allow
        Allow from all
</Directory>

WSGIScriptAlias / /home/ubuntu/public_html/apache.wsgi

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/ssl/crt/example_org.crt
SSLCertificateKeyFile /etc/ssl/crt/server.key
SSLCertificateChainFile /etc/ssl/crt/ca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

htaccess filesMatch exclusion
max-age=0 sent by browsers despite headers modified everywhere
nginx proxy_set_header x-forwarded-proto seemingly not working
Why does my apache refuse the "Content-Security-Policy" headers?
From which Apache version onward is LimitRequestFieldSize no longer hardcoded to 8k max?
Disable compression on SSL/TLS connections in Apache < 2.2.16 using mod_header
Is it possible to get a wildcard cert and use SNI?
Is it possible to route requests to different applications via Content-Type?
Apache - disable range requests - disadvantages?
Passing Authorization Basic Headers Along in Proxy