[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: https vhosts

> Am 24.05.2018 um 13:28 schrieb Eric Covener <covener@xxxxxxxxx>:
> On Thu, May 24, 2018 at 7:23 AM, Stefan Eissing
> <stefan.eissing@xxxxxxxxxxxxx> wrote:
>> Do we have a configuration option to allow https://hostname/ only to matching vhosts without any default fallback?
>> Scenario:
>> - a site with vhost A and B
>> - vhost B is taken out, DNS still points there (for a while)
>> - browsers opening https://B/ will get the certificate of A and complain
>> I do not want to present a "wrong" certificate, I want the SSL connection to fail. Does that make sense?
> I don't think it exists for SSL or non-SSL today -- you have to
> capture them in the first-listed VH for a address/port combo.

Which, in case of SSL, needs to present a certificate that does not match and browsers issue their "not trustworthy" warnings. Where, in reality (ha, reality on the internet!) the site does not exist and it is impossible to make a secure connection to it.

So, we are lacking an option here to abort SSL connections without a vhost match, it seems. Something like

SSLStrictSNIVHostCheck require-match