Modèle:Sommaire membre

De WikiFiction

Polymnie 2025-2026

Si vous avez participé à cet atelier avant le 1er septembre 2025, vous retrouverez votre espace sur la version précédente du wiki

11-relax
fds

apache2 (2.4.65-1~deb12u1) bookworm; urgency=medium 

 Following the resolution of CVE-2025-23048,
 some SSL-enabled websites may begin encountering
 the error (AH02032):
 .
   Misdirected Request:
   The client needs a new connection for this request as the
   requested host name does not match the Server Name Indication
   (SNI) in use for this connection.
 .
 This behavior is particularly noticeable with AWS Application
 Load Balancers. Although they support intelligent SNI handling,
 they do not (as of this writing) relay SNI data to the target
 server, resulting in failed connections when hostnames don’t align.
 .
 Without an SNI provided by the client, there is nothing httpd
 can do to determine which vhost/configuration should be
 used to provide the correct certificate (and TLS authentication
 eventually) whenever multiple vhosts listen on the same IP:port.

That's because reading the HTTP Host header necessarily has to 

 happen after the TLS handshake/auth/decryption (and later
 renegotiation is not an option with TLSv1.3).
 .
 So those connections fall back to the first vhost declared on
 the IP:port for the TLS handshake part, and if the request
 Host header finally matches a different vhost with a different
 TLS configuration it's rejected with AH02032.
 .
 Before 2.4.64 the check was not accurate and would allow that,
 with security implications.
 .
 As a workaround, you may (after a risk analysis) generate a
 wildcard certificate. If you’re managing multiple domains,
 consolidate them into a single certificate by including each
 wildcard domain as an alias. Then, update the Apache configuration
 to reference this unified certificate.
 .
 Another possible workaround is to configure each virtual host to
 listen on a separate port. This approach avoids SNI-related issues
 by ensuring that each vhost is uniquely addressed through its own
 connection endpoint, thereby allowing distinct TLS configurations
 without ambiguity.
 .
 This error may also stem from a misconfigured HAProxy setup.
 In such cases, enabling dynamic SNI handling on HAProxy might be
 necessary to ensure that the correct hostname is passed through
 during the TLS handshake. After risk analysis, it could be done
 by using "sni req.hdr(Host)" directive.
Récupérée de « http://wikifiction.fr/index.php?title=Modèle:Sommaire_membre&oldid=9715 »