httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Houser, Rick" <rick.hou...@jackson.com>
Subject RE: [users@httpd] SSL Certificate Validation
Date Thu, 08 Feb 2018 17:51:29 GMT
I didn’t think you could have two virtualhost entries with the same IP/port.  I would probably
do this within with a single VirtualHost, myself.  Something like this combined with the RewriteRule:

RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$


Rick Houser
Web Engineer

From: Dr James A Smith [mailto:js5@sanger.ac.uk]
Sent: Thursday, February 08, 2018 12:18
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL


The easiest way to do this is to make sure you have the correct hostname in the virtual host
- the one that matches your certificate and another virtual host which has no hostname in
it to catch all the other requests.

<VirtualHost *:*>
  .... return a forbidden response for all requests!
  RewriteEngine On
  RewriteRule ^(.*)$ - [L,F]
</VirtualHost>

<VirtualHost *:*>
  ServerName your.real.host.com
  ... real config...
</VirtualHost>



On 08/02/2018 16:46, Houser, Rick wrote:
In addition to fixing your certificate, you may have a reason to make sure the host header
they send is correct.  If they are reaching you via an alternate hostname or something that’s
getting them to the correct IP, but shouldn’t be supported for your service, stopping them
from doing that might take aware the incentive they see to disabling the hostname verification
in the first place.


Rick Houser
Web Engineer

From: Eric Covener [mailto:covener@gmail.com]
Sent: Thursday, February 08, 2018 11:19
To: users@httpd.apache.org<mailto:users@httpd.apache.org>
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL




On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar <nbelmona@cscgroup.com<mailto:nbelmona@cscgroup.com>>
wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service launches fine
and the users/developers are able to connect however developers through their code bypass
the Server SSL certificate verification. I am not worried about the client certificate validation
since we are not using it,  all the concern is we need to stop users bypassing the Server
SSL verification who are claiming they have to bypass it since the certificate name doesn’t
match the server name in the link being called. Kindly note that configuration in hhtpd.conf
is:



​You can't stop them unless you control the client.  You only control the server. The only
thing you could do is provide a better certificate.
​



-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered
in England with number 1021457 and a company registered in England with number 2742969, whose
registered office is 215 Euston Road, London, NW1 2BE.
Mime
View raw message