I am running Apache 2.4 on Debian serving some SSL websites. My domain name und certificates contain my real name, so I don't want any random user typing in my IP address to get the certificate und my name.
My approach would be to create a default virtual host on port 443 to drop all connections using modsecurity, so you only get the certificate if you know the domain name. With SNI it should be possible – Apache determines the right virtual host before the TLS handshake, right?
It does not seem to work as expected, however. If I enable the default host, every TLS connection seems to get dropped and I get a SSL_ERROR_RX_RECORD_TOO_LONG error in the browser.
This is my configuration:
<VirtualHost *:443>
ServerName defaultserverssl
DocumentRoot /var/www/html
SecRuleEngine On
SecAction id:1,phase:1,nolog,drop
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www1.example.com
DocumentRoot /my/document/root
SSLCertificateFile /path/to/myfullchain.pem
SSLCertificateKeyFile /path/to/myprivkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www2.example.com
DocumentRoot /my/document/root
SSLCertificateFile /path/to/myfullchain.pem
SSLCertificateKeyFile /path/to/myprivkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
I already tried the SSLStrictSNIVHostCheck
option to force SNI, both on server level and in the individual vhosts, with no different result.
It looks like SNI is not working, or am I wrong about the way SNI works and my approach is not possible?
Best Answer
I have found a workaround for my problem.
As far as I understand, with SNI the client sends the requested server name within an extended TLS client hello - so there is no way to avoid an initial TLS handshake (or at least I didn't find a way to drop the connection just after receiving the client hello).
As a workaround, I created a self-signed certificate (containing no personal information) that I use with the default host. After the handshake dropping the connection seems to work.