Why does httpd handle requests for wrong hostnames in SSL mode?
Posted
by
Manuel
on Server Fault
See other posts from Server Fault
or by Manuel
Published on 2013-11-09T03:07:24Z
Indexed on
2013/11/09
3:59 UTC
Read the original article
Hit count: 453
I have an SSL-enabled virtual host for my sites at example.com:10443
Listen 10443
<VirtualHost _default_:10443>
ServerName example.com:10443
ServerAdmin [email protected]
ErrorLog "/var/log/httpd/error_log"
TransferLog "/var/log/httpd/access_log"
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/etc/ssl/private/example.com.crt"
SSLCertificateKeyFile "/etc/ssl/private/example.com.key"
SSLCertificateChainFile "/etc/ssl/private/sub.class1.server.ca.pem"
SSLCACertificateFile "/etc/ssl/private/StartCom.pem"
</VirtualHost>
Browsing to https://example.com:10443/ works as expected.
However, also browsing to https://subdomain.example.com:10443/ (with DNS set) shows me the same pages (after SSL certificate warning). I would have expected the directive ServerName example.com:10443
to reject all connection attempts to other server names.
How can I tell the virtual host not to serve requests for URLs other than the top-level one?
© Server Fault or respective owner