-
Bug
-
Resolution: Duplicate
-
Undefined
-
None
-
rhel-8.10, rhel-9.6, rhel-10.0
-
None
-
No
-
Low
-
rhel-stacks-web-servers
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
To address CVE-2025-23048, mod_ssl now enforces stricter validation to ensure that the VirtualHost selected at the HTTP level (based on the Host: request header) matches the VirtualHost determined at the TLS/TCP level (based on the server’s IP/port and the SNI value provided in the ClientHello during the TLS handshake).
This fix is causing a lot noise from the customer side as its require configuration changes:
- To prevent this behavior <VirtualHost> definitions can be updated to ensure that Virtual Host selection is appropriate for connections without TLS SNI. This can be accomplished in different ways:
-
- moving any <VirtualHost> with a distinct SSL certificate configuration to a unique TCP port
- or sharing a SSL certificate configuration across multiple Virtual Hosts using a wildcard or SAN certificate
- When sharing a SSL certificate configuration across multiple Virtual Hosts using a wildcard or SAN certificate, make sure that all SSL directives from mod_ssl (SSLCipherSuite, SSLProtocol...) are the same across all the Virtual Hosts{}
- Any better way to handle this ?
