What kind of attack is prevented by Apache2's error code AH02032 ("Hostname provided via SNI and hostname provided via HTTP are different")?
I saw in my Apache2 server logs messages like
[ssl:error] [pid 28482] AH02032: Hostname xxx.yyy.zzz.www:443 provided via SNI and hostname xxx.yyy.zzz.www provided via HTTP are different
One of these error message was triggered by a request from
researchscan367.eecs.umich.edu, so I presume they are scanning for some known vulnerability. What kind of vulnerability or attack vector is prevented by the error?
What kind of vulnerability or attack vector is prevented by the error?
The attack is called "virtual host confusion" and in 2014 several CDN were found vulnerable against it. The main idea is that a mismatch between the target name in the TLS handshake ("provided via SNI") and the target name in the HTTP protocol ("provided via HTTP") can be exploited. Depending on the setup of the server it might be used to impersonate HTTPS sites owned by others which also can be used to steal session cookies etc.
For more information read the paper "Network-based Origin Confusion Attacks against HTTPS Virtual Hosting", read the information at HackerOne, see a video of how this attack helps to "use Akamai to bypass Internet censorship" or see the talk at Blackhat 2014 where this and other attacks against TLS where demonstrated.
Also interesting is this paper that describes how the same technique is used to circumvent censorship: Blocking-resistant communication through domain fronting
Am I correct in summising that reading this notice in the error logs is a notification an issue has be blocked and ***not*** a notification that there is an issue that needs my attention? ie. read the `ssl:error...` and don't need to do anything due to it?