Why does httpd handle requests for wrong hostnames in SSL mode?

Posted by Manuel on Server Fault See other posts from Server Fault or by Manuel
Published on 2013-11-09T03:07:24Z Indexed on 2013/11/09 3:59 UTC
Read the original article Hit count: 459

Filed under:
|
|
|
|

I have an SSL-enabled virtual host for my sites at example.com:10443

Listen 10443
<VirtualHost _default_:10443>
  ServerName example.com:10443
  ServerAdmin [email protected]
  ErrorLog "/var/log/httpd/error_log"
  TransferLog "/var/log/httpd/access_log"
  SSLEngine on
  SSLProtocol all -SSLv2
  SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
  SSLCertificateFile "/etc/ssl/private/example.com.crt"
  SSLCertificateKeyFile "/etc/ssl/private/example.com.key"
  SSLCertificateChainFile "/etc/ssl/private/sub.class1.server.ca.pem"
  SSLCACertificateFile "/etc/ssl/private/StartCom.pem"
</VirtualHost>

Browsing to https://example.com:10443/ works as expected. However, also browsing to https://subdomain.example.com:10443/ (with DNS set) shows me the same pages (after SSL certificate warning). I would have expected the directive ServerName example.com:10443 to reject all connection attempts to other server names.

How can I tell the virtual host not to serve requests for URLs other than the top-level one?

© Server Fault or respective owner

Related posts about apache2

Related posts about ssl