Qualys Labs SSL Test – Incorrect SNI alerts

If you have run the Qualys SSL Test, you may have seen the following errors in your report:

  • Client aborts on SNI unrecognized_name warning
  • Incorrect SNI alerts

If your unsure what SNI is all about, then the following quote from Wikipedia should bring you up to speed:

Server Name Indication (SNI) is an extension to the TLS computer networking protocol[1] by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other Service over TLS) to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted,[2] so an eavesdropper can see which site is being requested.

If your running Apache, you can address this issue by insuring the correct site names are contained within the Virtual Host configuration.  For example, it maybe appropriate to add this configuration to a .conf file relating to the site in question, eg /etc/apache2/sites-enabled/default-ssl.conf:

Enter the below within the section: VirtualHost

ServerName www.example.com
ServerAlias example.com www.example.com

You will need to restart Apache to apply the changes:

service apache2 restart

Hope this helps, if so please consider letting me know (below) or sharing.

Facebooktwittergoogle_plusredditpinterestlinkedinmail

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *