Disable the fallback virtual host

Bug #1390054 reported by François Marier on 2014-11-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libravatar
Medium
Unassigned

Bug Description

As described in this paper (also attached here):

  https://www.blackhat.com/docs/us-14/materials/us-14-Delignat-The-BEAST-Wins-Again-Why-TLS-Keeps-Failing-To-Protect-HTTP-wp.pdf

the automatic fallback to the default Apache vhost can be used to exploit flaws in TLS.

We should try to disable the default fallback vhost and always return 400 when clients request an invalid vhost.

This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers