httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50227] New: Option to fail SSL handshake for diverted SNI connections
Date Sun, 07 Nov 2010 06:03:04 GMT

           Summary: Option to fail SSL handshake for diverted SNI
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_ssl

In the presence of network attackers, an HTTPS server is liable to receive
diverted connections asking for any site for which its certificate is valid,
even if that site was supposed to be hosted elsewhere, and it is responsible
for responding in a way that does not violate the integrity properties expected
by clients.  (See discussion: .)  One can set
up a default vhost that responds to diverted connections with a relatively
harmless error 400 or 403, but for SNI connections, it is even better to reject
them at the SSL level.  I could not find any way to configure Apache to do
that.  I tried the hack of disabling all protocols or ciphers on the default
vhost, hoping to make sure the SSL handshake fails, but Apache detected that as
a configuration error and refused to start.

I propose a new option, tentatively named SSLUnrecognizedName, which can be set
on or off per vhost and causes SSL connections to that vhost to be rejected
with an unrecognized_name error.  Server admins could simply enable that option
on the "harmless" default vhost they set up for non-SNI clients.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message