httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr James A Smith <...@sanger.ac.uk>
Subject Re: [users@httpd] SSL Certificate Validation
Date Thu, 08 Feb 2018 17:17:50 GMT
The easiest way to do this is to make sure you have the correct hostname 
in the virtual host - the one that matches your certificate and another 
virtual host which has no hostname in it to catch all the other requests.

<VirtualHost *:*>
   .... return a forbidden response for all requests!
   RewriteEngine On
RewriteRule ^(.*)$ - [L,F]
</VirtualHost>

<VirtualHost *:*>
   ServerName your.real.host.com
   ... real config...
</VirtualHost>



On 08/02/2018 16:46, Houser, Rick wrote:
>
> In addition to fixing your certificate, you may have a reason to make 
> sure the host header they send is correct.  If they are reaching you 
> via an alternate hostname or something that’s getting them to the 
> correct IP, but shouldn’t be supported for your service, stopping them 
> from doing that might take aware the incentive they see to disabling 
> the hostname verification in the first place.
>
> Rick Houser
>
> Web Engineer
>
> *From:* Eric Covener [mailto:covener@gmail.com]
> *Sent:* Thursday, February 08, 2018 11:19
> *To:* users@httpd.apache.org
> *Subject:* Re: [users@httpd] SSL Certificate Validation
>
> *EXTERNAL EMAIL*
>
> On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar <nbelmona@cscgroup.com 
> <mailto:nbelmona@cscgroup.com>> wrote:
>
>     Thanks Rainer and Daniel.
>
>     Sorry for the confusion and please let me clarify.
>
>     We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the
>     Apache service launches fine and the users/developers are able to
>     connect however developers through their code bypass the Server
>     SSL certificate verification. I am not worried about the client
>     certificate validation since we are not using it,  all the concern
>     is we need to stop users bypassing the Server SSL verification who
>     are claiming they have to bypass it since the certificate name
>     doesn’t match the server name in the link being called. Kindly
>     note that configuration in hhtpd.conf is:
>
> ​You can't stop them unless you control the client. You only control 
> the server. The only thing you could do is provide a better certificate.
>
> ​
>




-- 
 The Wellcome Sanger Institute is operated by Genome Research 
 Limited, a charity registered in England with number 1021457 and a 
 company registered in England with number 2742969, whose registered 
 office is 215 Euston Road, London, NW1 2BE. 
Mime
View raw message