I didn’t think you could have two virtualhost entries with the same IP/port. I
would probably do this within with a single VirtualHost, myself. Something
like this combined with the RewriteRule:
RewriteCond %{HTTP_HOST} !^THE.CORRECT.HOSTNAME$
Rick Houser
Web Engineer
From: Dr James A Smith [mailto:[email protected]]
Sent: Thursday, February 08, 2018 12:18
To: [email protected]
Subject: Re: [users@httpd] SSL Certificate Validation
EXTERNAL EMAIL
The easiest way to do this is to make sure you have the correct hostname in the
virtual host - the one that matches your certificate and another virtual host
which has no hostname in it to catch all the other requests.
<VirtualHost *:*>
.... return a forbidden response for all requests!
RewriteEngine On
RewriteRule ^(.*)$ - [L,F]
</VirtualHost>
<VirtualHost *:*>
ServerName your.real.host.com
... real config...
</VirtualHost>
On 08/02/2018 16:46, Houser, Rick wrote:
In addition to fixing your certificate, you may have a reason to make sure the
host header they send is correct. If they are reaching you via an alternate
hostname or something that’s getting them to the correct IP, but shouldn’t be
supported for your service, stopping them from doing that might take aware the
incentive they see to disabling the hostname verification in the first place.
Rick Houser
Web Engineer
From: Eric Covener [mailto:[email protected]]
Sent: Thursday, February 08, 2018 11:19
To: [email protected]<mailto:[email protected]>
Subject: Re: [users@httpd] SSL Certificate Validation
EXTERNAL EMAIL
On Thu, Feb 8, 2018 at 7:36 AM, Belmona, Nizar
<[email protected]<mailto:[email protected]>> wrote:
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.
We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service
launches fine and the users/developers are able to connect however developers
through their code bypass the Server SSL certificate verification. I am not
worried about the client certificate validation since we are not using it, all
the concern is we need to stop users bypassing the Server SSL verification who
are claiming they have to bypass it since the certificate name doesn’t match
the server name in the link being called. Kindly note that configuration in
hhtpd.conf is:
You can't stop them unless you control the client. You only control the
server. The only thing you could do is provide a better certificate.
-- The Wellcome Sanger Institute is operated by Genome Research Limited, a
charity registered in England with number 1021457 and a company registered in
England with number 2742969, whose registered office is 215 Euston Road,
London, NW1 2BE.
