In addition to fixing your certificate, you may have a reason to make sure the 
host header they send is correct.  If they are reaching you via an alternate 
hostname or something that’s getting them to the correct IP, but shouldn’t be 
supported for your service, stopping them from doing that might take aware the 
incentive they see to disabling the hostname verification in the first place.

Rick Houser
Web Engineer

From: Eric Covener []
Sent: Thursday, February 08, 2018 11:19
Subject: Re: [users@httpd] SSL Certificate Validation


On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar 
<<>> wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service 
launches fine and the users/developers are able to connect however developers 
through their code bypass the Server SSL certificate verification. I am not 
worried about the client certificate validation since we are not using it,  all 
the concern is we need to stop users bypassing the Server SSL verification who 
are claiming they have to bypass it since the certificate name doesn’t match 
the server name in the link being called. Kindly note that configuration in 
hhtpd.conf is:

​You can't stop them unless you control the client.  You only control the 
server. The only thing you could do is provide a better certificate.

Reply via email to