Ssl – Hostname provided via SNI, but no hostname provided in HTTP request

ssl

I got this error in apache log:

[Mon Oct 28 16:11:33.074606 2019] [ssl:error] [pid 30553] AH02031: Hostname mywebsite.com provided via SNI, but no hostname provided in HTTP request

I couldn't find any info about it.
What does it means?

The website was not responding and was on 100% cpu for an hour, I had to stop it from the Console, when I look at the error log, I only saw the above error, which was at the exact time when the cpu became 100%

I suspect it might be some form so hacker attack, since it is similar message to Conflict between SNI and HTTP provided domains

Best Answer

I suspect it might be some form so hacker attack, since it is similar message to Conflict between SNI and HTTP provided domains.

While this could in theory be a hacker it could be totally innocent too. It is different to the problem in the question you've linked too where somebody deliberately uses a different name in ClientHello and Host header.

In this case there is simply no Host header. Instead of an attacker I rather suspect somebody trying HTTP without properly reading the specification or who tries if simply HTTP/1.0 requests (which don't require a Host header in all cases contrary to HTTP/1.1) still work.

For example the following simple Perl code will produce such a log entry if www.example.com would be a multi-domain setup served by Apache:

use IO::Socket::SSL;
my $cl = IO::Socket::SSL->new('www.example.com:443');
print $cl "GET / HTTP/1.0\r\n\r\n";

And with a slight modification (having the expected Host header) the message would not be there:

print $cl "GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n";

Related Solutions

Debian – Hostname and SSL (apache) issue on Debian

If your apache config file does not have a line like this <VirtualHost 192.168.1.100:443> you need to add that before the relevant directory block(s) in apache2/conf/extra/httpd-ssl.conf Note the ip address needs to be available on the server and your website hostname (not necessarily the server hostname!) should have a DNS record pointing to that ip address if you want SSL to work without a warning.

Assuming you start apache using apachectl, you should run apachectl configtest before restarting apache to see if there are any warnings or errors.

Nginx – Fix SNI and HTTP Hostname Mismatch

Apache 2.2 (that you use; end of life btw) strictly forbids different SNI hostname and Host hostname. Apache 2.4 relaxes that condition and only failing if:

"The request does not select the virtual host that was selected by the SNI and its SSL parameters are different"

https://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/ssl/ssl_engine_kernel.c?view=annotate#l335

nginx reuses backend connections if keepalive is enabled but you don't have that in your configs.

Looking into nginx source code there are other possible conditions:

         * set u->keepalive if response has no body; this allows to keep
         * connections alive in case of r->header_only or X-Accel-Redirect

Solutions: switch to apache 2.4.

Workarounds: do not use https between frontend and backend (especially that in your setup both are on the same machine). mod_rpaf and mod_remoteip will help exposing "fake" ssl information to other apache modules.

Best Answer

Related Solutions

Debian – Hostname and SSL (apache) issue on Debian

Nginx – Fix SNI and HTTP Hostname Mismatch

Related Topic