HTTPS access with no SNI

pwhodges · October 3, 2018, 1:13pm

I ran the Qualys SSLlabs test against the main domain on my server, and got the good result I expected (straight A).

However, there was one oddity which concerned me slightly, as it is a breach of privacy, even if not of security. They do a test accessing the server without SNI, and they get in response the certificate of a completely different web site on my server (which reveals that I am handling that web site).

Is this inevitable? And if it is unavoidable, is there any way to ensure that the “default” certificate returned in this way is at least one of my choosing? The site concerned is not at the start or end of my caddyfile.

Paul

Whitestrake · October 3, 2018, 3:04pm

The certificate chosen when no certificates in memory are suitable is effectively random.

You can control the default case by defining a catch-all site definition for HTTPS requests that don’t match any more specific labels. The below is not quite equivalent to the default handling, but shows the general idea.

https:// {
  tls self_signed
  status 404 /
}

system · January 1, 2019, 3:04pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.