Can't turn off SNI on apache

pmah asked:

When I go to: http://web-sniffer.net/ and check the headers of my site (https://www.example.org), I get a status code 200

But when I use the radio button HTTP/1.0 (without Host header), I get a status code 400 (Bad Request).

My apache log says “Hostname www.example.org provided via SNI, but no hostnmae provided in HTTP request”

I read that to make it work I need to turn off the directive “SSLStrictSNIVHostCheck” in my apache conf file.

I added this directive, but am still getting status code 400 when making a HTTP/1.0 (without Host Header)

For reference, this is my ports.conf file:

ServerName www.example.org

NameVirtualHost *:80
Listen 10.0.0.1:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
    NameVirtualHost *:443
    SSLStrictSNIVHostCheck off
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

This is my default-ssl file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName www.example.org
    ServerAdmin webmaster@example.org
    SSLStrictSNIVHostCheck off


    Alias /static /home/ubuntu/public_html/static
    <Directory /home/ubuntu/public_html/static>
        Order deny,allow
        Allow from all
</Directory>

Alias /media /home/ubuntu/public_html/media
<Directory /home/ubuntu/public_html/media >
        Order deny,allow
        Allow from all
</Directory>

WSGIScriptAlias / /home/ubuntu/public_html/apache.wsgi

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/ssl/crt/example_org.crt
SSLCertificateKeyFile /etc/ssl/crt/server.key
SSLCertificateChainFile /etc/ssl/crt/ca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<FilesMatch ".(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-6]" 
    nokeepalive ssl-unclean-shutdown 
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

My answer:


As far as I can tell from looking at the Apache source code, you can’t do that with any Apache configuration option. You MUST send a Host: header matching what was sent via SNI for Apache to accept it.

RFC 6066 section 11.1 specifies that web servers MUST check that the Host: header and host name sent via SNI match.

As a practical matter, any software speaking HTTP that was produced in the last 15 years or so should be sending the Host: header with every request. If you actually have something that isn’t, it’s either too ancient to still be on the Internet, or broken.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.