git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Exposing SSL certificates on SNI mismatch


Hi all,

I have a customer asking about whether the SSL handshake can be made to fail in case the SNI from the "Client Hello" message doesn't match at all any server name of the configured virtual hosts. E.g. consider a setup like this

DNS records:
domain-a.tld resolves to <shared ip>
domain-b.tld also resolves to <shared ip>

Listen <shared ip>:443 https
Listen <shared ip>:80  http

<VirtualHost <shared ip>:80>
  ServerName domain-a.tld
  ...
</VirtualHost>

<VirtualHost <shared ip>:80>
  ServerName domain-b.tld
</VirtualHost>

<VirtualHost <shared ip>:443>
  ServerName domain-b.tld
  SSLEngine On
  SSLCertificateFile <...a certificate file only valid for domain-b.tld>
  ...
</VirtualHost>

I.e. no virtual host with SSL enabled for domain-a.tld exists.

In this setup the customer wants the server to not expose the SSL certificate of other, unrelated virtual hosts in case a client/browser tries to access https:/domain-a.tld/ (which isn't configured in Apache).

Is this currently possible? If yes, in 2.4.x or only trunk?

I remember a discussion thread of this topic floating by, but I can't find it anymore. Does anybody else maybe have a pointer to some public mail archive?

Thanks a lot in advance for any comment,
Micha