1

I am running Apache 2.4 on Debian serving some SSL websites. My domain name und certificates contain my real name, so I don't want any random user typing in my IP address to get the certificate und my name.

My approach would be to create a default virtual host on port 443 to drop all connections using modsecurity, so you only get the certificate if you know the domain name. With SNI it should be possible - Apache determines the right virtual host before the TLS handshake, right?

It does not seem to work as expected, however. If I enable the default host, every TLS connection seems to get dropped and I get a SSL_ERROR_RX_RECORD_TOO_LONG error in the browser.

This is my configuration:

<VirtualHost *:443> ServerName defaultserverssl DocumentRoot /var/www/html SecRuleEngine On SecAction id:1,phase:1,nolog,drop </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName www1.example.com DocumentRoot /my/document/root SSLCertificateFile /path/to/myfullchain.pem SSLCertificateKeyFile /path/to/myprivkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName www2.example.com DocumentRoot /my/document/root SSLCertificateFile /path/to/myfullchain.pem SSLCertificateKeyFile /path/to/myprivkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule>

I already tried the SSLStrictSNIVHostCheck option to force SNI, both on server level and in the individual vhosts, with no different result.

It looks like SNI is not working, or am I wrong about the way SNI works and my approach is not possible?

Improve this question
3
  • You should put all your VirtualHost *:443 definition into the same IfModule mod_ssl.c block. Commented Jun 20, 2018 at 15:08
  • Have a look at Apache SSLStrictSNIVHostCheck directive, you probably need to turn it on (its default is off) to get the restriction you want. Commented Jun 20, 2018 at 15:14
  • Thanks for your hints. Actually I have them in 3 seperate configuration files in sites-available. I forgot to mention, I already tried the SSLStrictSNIVHostCheck, both on server level and in the individual vhost configs - with the same result. Commented Jun 20, 2018 at 17:10

1 Answer 1

Reset to default
1

I have found a workaround for my problem.

As far as I understand, with SNI the client sends the requested server name within an extended TLS client hello - so there is no way to avoid an initial TLS handshake (or at least I didn't find a way to drop the connection just after receiving the client hello).

As a workaround, I created a self-signed certificate (containing no personal information) that I use with the default host. After the handshake dropping the connection seems to work.

<VirtualHost *:443> ServerName defaultserverssl DocumentRoot /var/www/html SSLEngine On SSLCertificateFile /path/to/self-signed/default.crt SSLCertificateKeyFile /path/to/self-signed/default.key SecRuleEngine On SecAction id:1,phase:1,nolog,drop </VirtualHost>
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.