Can't turn off SNI on apache

pmah asked:

When I go to: and check the headers of my site (, I get a status code 200

But when I use the radio button HTTP/1.0 (without Host header), I get a status code 400 (Bad Request).

My apache log says “Hostname provided via SNI, but no hostnmae provided in HTTP request”

I read that to make it work I need to turn off the directive “SSLStrictSNIVHostCheck” in my apache conf file.

I added this directive, but am still getting status code 400 when making a HTTP/1.0 (without Host Header)

For reference, this is my ports.conf file:


NameVirtualHost *:80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
    NameVirtualHost *:443
    SSLStrictSNIVHostCheck off

<IfModule mod_gnutls.c>
    Listen 443

This is my default-ssl file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin [email protected]
    SSLStrictSNIVHostCheck off

    Alias /static /home/ubuntu/public_html/static
    <Directory /home/ubuntu/public_html/static>
        Order deny,allow
        Allow from all

Alias /media /home/ubuntu/public_html/media
<Directory /home/ubuntu/public_html/media >
        Order deny,allow
        Allow from all

WSGIScriptAlias / /home/ubuntu/public_html/apache.wsgi

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from ::1/128

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

SSLProtocol all -SSLv2

SSLCertificateFile /etc/ssl/crt/example_org.crt
SSLCertificateKeyFile /etc/ssl/crt/server.key
SSLCertificateChainFile /etc/ssl/crt/ca.crt
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
# MSIE 7 and newer should be able to use keepalive
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

My answer:

As far as I can tell from looking at the Apache source code, you can’t do that with any Apache configuration option. You MUST send a Host: header matching what was sent via SNI for Apache to accept it.

RFC 6066 section 11.1 specifies that web servers MUST check that the Host: header and host name sent via SNI match.

As a practical matter, any software speaking HTTP that was produced in the last 15 years or so should be sending the Host: header with every request. If you actually have something that isn’t, it’s either too ancient to still be on the Internet, or broken.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.