EXTERNAL
EMAIL
The easiest way to do this is to make sure you have the
correct hostname in the virtual host - the one that matches
your certificate and another virtual host which has no
hostname in it to catch all the other requests.
<VirtualHost *:*>
.... return a forbidden response for all requests!
RewriteEngine On
RewriteRule ^(.*)$ - [L,F]
</VirtualHost>
<VirtualHost *:*>
ServerName your.real.host.com
... real config...
</VirtualHost>
On 08/02/2018 16:46, Houser, Rick
wrote:
In addition to fixing your certificate,
you may have a reason to make sure the host header they
send is correct. If they are reaching you via an
alternate hostname or something that’s getting them to the
correct IP, but shouldn’t be supported for your service,
stopping them from doing that might take aware the
incentive they see to disabling the hostname verification
in the first place.
Rick Houser
Web Engineer
EXTERNAL
EMAIL
On Thu, Feb 8, 2018 at 7:36 AM,
Belmona, Nizar <nbelmona@xxxxxxxxxxxx>
wrote:
Thanks Rainer and
Daniel.
Sorry for the
confusion and please let me clarify.
We have a web server
with Apache 2.2.22 with OpenSSL 0.9.8t,
the Apache service launches fine and the
users/developers are able to connect
however developers through their code
bypass the Server SSL certificate
verification. I am not worried about the
client certificate validation since we are
not using it, all the concern is we need
to stop users bypassing the Server SSL
verification who are claiming they have to
bypass it since the certificate name
doesn’t match the server name in the link
being called. Kindly note that
configuration in hhtpd.conf is:
You can't stop them unless
you control the client. You only control the
server. The only thing you could do is provide
a better certificate.
-- The Wellcome Sanger Institute is operated by Genome
Research Limited, a charity registered in England with
number 1021457 and a company registered in England with
number 2742969, whose registered office is 215 Euston Road,
London, NW1 2BE.
