Hi Apache Devs!
I would like to propose adding checks for the hostname in a certificate when checking the apache configuration. According to research by Akhawe et. al [1] there are about 15k false positive for one true certificate warning. This obviously devalues certificate warnings to users. Fahl et al. [2] have analyzed causes for invalid certificates and found that about 24 % are due to hostname mismatch (although the study is a bit dated). To bring this number down a bit I was wondering if it would make sense to add a check to apache. The idea is that as an admin when I try to start the daemon (or maybe when I run configtest) I will be told something like that there is a virtualhost for A and B but only a certificate for A. Do you think this is feasible? - Best Regards, 🐍 Simon [1] http://devd.me/papers/trustmemaybe.pdf [2] https://saschafahl.de/papers/webmasters2014.pdf
