I have that line in my ssl.conf file. It was initially set to "off", but even after I changed it to "on" I get the same results. I actually don't think this is an apache issue exactly. I'm going to check with the openssl group, I think that is where the refusal should come into play. Thanks, --Larry ________________________________ From: Yann Ylavic <ylavic....@gmail.com> Sent: Tuesday, March 4, 2025 3:27 AM To: users@httpd.apache.org <users@httpd.apache.org> Subject: [EXTERNAL] [BULK] Re: [users@httpd] apache/mod_ssl block IP connection attempt?
CAUTION: This email originated from outside of NASA. Please take care when clicking links or opening attachments. Use the "Report Message" button to report suspicious messages to the NASA SOC. On Mon, Mar 3, 2025 at 10:20 PM Schuler, Laurence wrote: > > It appears that the HelloClient message has the target hostname within it, so > mod_ssl should be able to say "ok, this hostname is *not* in my server > cert(s), I'm not going to talk to this guy. reject. Setting "SSLStrictSNIVHostCheck on" in global configuration would block connections to non-declared hosts (i.e. not configured in any ServerName/ServerAlias). (see https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpd.apache.org%2Fdocs%2F2.4%2Fmod%2Fmod_ssl.html%23sslstrictsnivhostcheck&data=05%7C02%7Claurence.schuler%40nasa.gov%7C2a0eedac7d4144147ecd08dd5af678ae%7C7005d45845be48ae8140d43da96dd17b%7C0%7C0%7C638766736848517125%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=TbgpcWyA%2BgjakLfbVy14cBDRfVoaOMTcVZ2IoBl9CFw%3D&reserved=0)<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslstrictsnivhostcheck> Regards; Yann. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
