ARO Security

William Herrin bill at
Mon May 18 20:49:11 UTC 2015

On Mon, May 18, 2015 at 3:59 PM, Eric Oosting <eric.oosting at> wrote:
> On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt <
> at> wrote:
>> 2.) The SSL cert for is invalid. It looks to be
>> trying to use the wildcard for
> I'm curious what is going on, but I wonder if it doesn't have something to
> do with the openssl command you've entered below.
>> $ openssl s_client -showcerts -connect

Hi Eric,

It does and it doesn't. The following openssl command gets the correct cert:

openssl s_client -servername -showcerts -connect

The -servername parameter tells openssl to use the SSL Server Name
Indication extension. This allows multiple HTTPS web sites to live on
the same IP address much as the HTTP 1.1 Host header allowed multiple
regular HTTP web sites to live on the same IP address.

All "modern" web browsers support SNI. "Modern" doesn't go back
terribly far. "Older" implementations of HTTPS will get the wrong
certificate as shown. So, if you want to maximize compatibility, have
a talk with your vendor about a dedicated IP address for your HTTPS
server. Otherwise, make a note in your documentation that SSL clients
must support the SNI extension to use the web site.

Bill Herrin

William Herrin ................ herrin at  bill at
Owner, Dirtside Systems ......... Web: <>

More information about the NANOG mailing list