3

I got this error in apache log:

[Mon Oct 28 16:11:33.074606 2019] [ssl:error] [pid 30553] AH02031: Hostname mywebsite.com provided via SNI, but no hostname provided in HTTP request

I couldn't find any info about it. What does it means?

The website was not responding and was on 100% cpu for an hour, I had to stop it from the Console, when I look at the error log, I only saw the above error, which was at the exact time when the cpu became 100%

I suspect it might be some form so hacker attack, since it is similar message to Conflict between SNI and HTTP provided domains

Elia Weiss
  • 160
  • 2
  • 7
  • 1
    It means literally what is written: there was a hostname in the initial TLS ClientHello message (i.e. SNI), but there was no HTTP Host header in the HTTP request inside this protected TLS channel. This header is, by the way, required in the HTTP/1.1 and higher versions of the protocol. This was reported because this is incorrect situation, and yes you're right this could be similar attack to the one you linked. – Nikita Kipriyanov Oct 29 '19 at 06:29

1 Answers1

1

I suspect it might be some form so hacker attack, since it is similar message to Conflict between SNI and HTTP provided domains.

While this could in theory be a hacker it could be totally innocent too. It is different to the problem in the question you've linked too where somebody deliberately uses a different name in ClientHello and Host header.

In this case there is simply no Host header. Instead of an attacker I rather suspect somebody trying HTTP without properly reading the specification or who tries if simply HTTP/1.0 requests (which don't require a Host header in all cases contrary to HTTP/1.1) still work.

For example the following simple Perl code will produce such a log entry if www.example.com would be a multi-domain setup served by Apache:

use IO::Socket::SSL;
my $cl = IO::Socket::SSL->new('www.example.com:443');
print $cl "GET / HTTP/1.0\r\n\r\n";

And with a slight modification (having the expected Host header) the message would not be there:

print $cl "GET / HTTP/1.0\r\nHost: www.example.com\r\n\r\n";
Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Your answer implies that it is probably an attacker, since why would some try to implement HTTP protocol instead of using std package? also when considering the fact that it cause the SRV to get stuck... – Elia Weiss Oct 30 '19 at 08:59
  • 1
    @EliaWeiss: *"Your answer implies that it is probably an attacker ... "* - It does not. There are so many questions at stackoverflow.com where users don't use existing HTTP stacks and build their own and build it wrong. No need to have an attacker for this, it is sufficient to have some of many who thinks that HTTP is a dead simple protocol and that one does not need the overhead of a library. – Steffen Ullrich Oct 30 '19 at 16:15
  • I also sometimes get this error in my Apache error logs, each time from some `*.toolbar.netcraft.com` client, and in the access log I get something like `"HEAD / HTTP/1.0" 400 5390 "-" "-"`, i.e. without a `Host` header. I guess that they are just testing whether my web server is alive, there is suspicious, or something like that. – vinc17 Apr 14 '20 at 10:48