Disable the fallback virtual host
Bug #1390054 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
As described in this paper (also attached here):
the automatic fallback to the default Apache vhost can be used to exploit flaws in TLS.
We should try to disable the default fallback vhost and always return 400 when clients request an invalid vhost.
To post a comment you must log in.