From users-return-116933-archive-asf-public=cust-asf.ponee.io@httpd.apache.org Thu Feb 8 18:18:04 2018 Return-Path: X-Original-To: archive-asf-public@eu.ponee.io Delivered-To: archive-asf-public@eu.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by mx-eu-01.ponee.io (Postfix) with ESMTP id 0430918064F for ; Thu, 8 Feb 2018 18:18:04 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id E8755160C4A; Thu, 8 Feb 2018 17:18:03 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id DDEF2160C3D for ; Thu, 8 Feb 2018 18:18:02 +0100 (CET) Received: (qmail 2223 invoked by uid 500); 8 Feb 2018 17:18:01 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 2213 invoked by uid 99); 8 Feb 2018 17:18:01 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Feb 2018 17:18:01 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id EE8FBC0042 for ; Thu, 8 Feb 2018 17:18:00 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.301 X-Spam-Level: X-Spam-Status: No, score=-0.301 tagged_above=-999 required=6.31 tests=[HTML_MESSAGE=2, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_HK_NAME_DR=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 5c2PETK6EqvO for ; Thu, 8 Feb 2018 17:17:58 +0000 (UTC) Received: from smtp.sanger.ac.uk (smtp.sanger.ac.uk [193.62.202.243]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 78C5A5F17B for ; Thu, 8 Feb 2018 17:17:58 +0000 (UTC) Received: from dell108646.internal.sanger.ac.uk ([172.30.20.192]) by intmail3b.internal.sanger.ac.uk with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.80.1) (envelope-from ) id 1ejppW-0009Yz-SL for users@httpd.apache.org; Thu, 08 Feb 2018 17:17:50 +0000 To: users@httpd.apache.org References: <89a84ab6576140e194805954d1a216ec@Serv-EXMB01.csclebanon.com> <73a7757f6d274158a8da4d5663a4b743@DC03PXMBP003.jacksonnational.com> From: Dr James A Smith Message-ID: <9aa13972-5e35-1fff-0446-bc48ae2acb07@sanger.ac.uk> Date: Thu, 8 Feb 2018 17:17:50 +0000 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <73a7757f6d274158a8da4d5663a4b743@DC03PXMBP003.jacksonnational.com> Content-Type: multipart/alternative; boundary="------------895E9DDA9C660BC6A8452407" Content-Language: en-GB X-Message-Source: dell108646.internal.sanger.ac.uk Subject: Re: [users@httpd] SSL Certificate Validation --------------895E9DDA9C660BC6A8452407 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit The easiest way to do this is to make sure you have the correct hostname in the virtual host - the one that matches your certificate and another virtual host which has no hostname in it to catch all the other requests. .... return a forbidden response for all requests! RewriteEngine On RewriteRule ^(.*)$ - [L,F] ServerName your.real.host.com ... real config... On 08/02/2018 16:46, Houser, Rick wrote: > > In addition to fixing your certificate, you may have a reason to make > sure the host header they send is correct. If they are reaching you > via an alternate hostname or something that’s getting them to the > correct IP, but shouldn’t be supported for your service, stopping them > from doing that might take aware the incentive they see to disabling > the hostname verification in the first place. > > Rick Houser > > Web Engineer > > *From:* Eric Covener [mailto:covener@gmail.com] > *Sent:* Thursday, February 08, 2018 11:19 > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] SSL Certificate Validation > > *EXTERNAL EMAIL* > > On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar > wrote: > > Thanks Rainer and Daniel. > > Sorry for the confusion and please let me clarify. > > We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the > Apache service launches fine and the users/developers are able to > connect however developers through their code bypass the Server > SSL certificate verification. I am not worried about the client > certificate validation since we are not using it, all the concern > is we need to stop users bypassing the Server SSL verification who > are claiming they have to bypass it since the certificate name > doesn’t match the server name in the link being called. Kindly > note that configuration in hhtpd.conf is: > > You can't stop them unless you control the client. You only control > the server. The only thing you could do is provide a better certificate. > > > -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------895E9DDA9C660BC6A8452407 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

The easiest way to do this is to make sure you have the correct hostname in the virtual host - the one that matches your certificate and another virtual host which has no hostname in it to catch all the other requests.

<VirtualHost *:*> .... return a forbidden response for all requests! RewriteEngine On RewriteRule ^(.*)$ - [L,F]</VirtualHost>

<VirtualHost *:*> ServerName your.real.host.com ... real config...</VirtualHost>

On 08/02/2018 16:46, Houser, Rick wrote:

In addition to fixing your certificate, you may have a reason to make sure the host header they send is correct. If they are reaching you via an alternate hostname or something that’s getting them to the correct IP, but shouldn’t be supported for your service, stopping them from doing that might take aware the incentive they see to disabling the hostname verification in the first place.

Rick Houser

Web Engineer

From: Eric Covener [mailto:covener@gmail.com]
Sent: Thursday, February 08, 2018 11:19
To: users@httpd.apache.org
Subject: Re: [users@httpd] SSL Certificate Validation

EXTERNAL EMAIL

On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar <nbelmona@cscgroup.com> wrote:

Thanks Rainer and Daniel.

Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service launches fine and the users/developers are able to connect however developers through their code bypass the Server SSL certificate verification. I am not worried about the client certificate validation since we are not using it, all the concern is we need to stop users bypassing the Server SSL verification who are claiming they have to bypass it since the certificate name doesn’t match the server name in the link being called. Kindly note that configuration in hhtpd.conf is:

You can't stop them unless you control the client. You only control the server. The only thing you could do is provide a better certificate.

-- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE.
--------------895E9DDA9C660BC6A8452407--