HTTPS access with no SNI

(Paul Hodges) #1

I ran the Qualys SSLlabs test against the main domain on my server, and got the good result I expected (straight A).

However, there was one oddity which concerned me slightly, as it is a breach of privacy, even if not of security. They do a test accessing the server without SNI, and they get in response the certificate of a completely different web site on my server (which reveals that I am handling that web site).

Is this inevitable? And if it is unavoidable, is there any way to ensure that the “default” certificate returned in this way is at least one of my choosing? The site concerned is not at the start or end of my caddyfile.


(Matthew Fay) #2

The certificate chosen when no certificates in memory are suitable is effectively random.

You can control the default case by defining a catch-all site definition for HTTPS requests that don’t match any more specific labels. The below is not quite equivalent to the default handling, but shows the general idea.

https:// {
  tls self_signed
  status 404 /