On Mon, Mar 3, 2025 at 4:20 PM Schuler, Laurence (GSFC-606.4)[ADNET SYSTEMS INC] <laurence.schu...@nasa.gov.invalid> wrote:
> I have a web server [apache 2.4.62 on a RedHat9 server] that receives an > SSL request for the address "https://1.2.3.4/"; (with the real serevr IP), > the server will reply by sending its certificate back and then I assume the > client compares the hostname on the cert and sees that it doesn't match > what it send in the SSL ClientHello message and so issues a warning to the > user about an unsafe site. Is there a way to just deny such HelloClient > messages from mod_ssl, perhaps an option or other setting? In other words, > force people to come to the site by hostname, not IP address. > It appears that the HelloClient message has the target hostname within it, > so mod_ssl should be able to say "ok, this hostname is *not* in my server > cert(s), I'm not going to talk to this guy. reject. > Since this seems like something it should already do, I'm probably missing > some configuration option, but I know this is happening with a few servers > in my organization. > I could probably get around this by having the IP address put into the > server certificate and then remapping a virtual host, but the issuer is > frowning on that type of cert. > > Is there a way to block IP connection attempt? > > > > > <https://www.nasa.gov/> > > *Laurence Schuler* > > *NASA Scientific Visualization Studio Systems Administrator* > > ADNET SYSTEMS, Inc. > > 7515 Mission Drive, Suite A100, Lanham, MD 20706 > c: 410.739.0893 > o: 301.286.3557 > > laurence.schu...@nasa.gov > > > > > There isn't really a graceful way to recover from that use case. Until the client accepts the certification, the connection isn't fully established. You can create a default TLS vhost with a dummy ServerName and certificate, and send a 403 with Require all denied, perhaps. They will still need to accept the invalid certificate to see the 403, and you can put details in your ErrorDocument to tell them what to do.
