ARO Security

William Herrin bill at herrin.us
Mon May 18 20:49:11 UTC 2015


On Mon, May 18, 2015 at 3:59 PM, Eric Oosting <eric.oosting at gmail.com> wrote:
> On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt <
> nicholas.schmidt at controlgroup.com> wrote:
>> 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
>> trying to use the wildcard for amsl.com
>
>
> I'm curious what is going on, but I wonder if it doesn't have something to
> do with the openssl command you've entered below.
>
>> $ openssl s_client -showcerts -connect secretariat.nanog.org:443

Hi Eric,

It does and it doesn't. The following openssl command gets the correct cert:

openssl s_client -servername secretariat.nanog.org -showcerts -connect
secretariat.nanog.org:443

The -servername parameter tells openssl to use the SSL Server Name
Indication extension. This allows multiple HTTPS web sites to live on
the same IP address much as the HTTP 1.1 Host header allowed multiple
regular HTTP web sites to live on the same IP address.



All "modern" web browsers support SNI. "Modern" doesn't go back
terribly far. "Older" implementations of HTTPS will get the wrong
certificate as shown. So, if you want to maximize compatibility, have
a talk with your vendor about a dedicated IP address for your HTTPS
server. Otherwise, make a note in your documentation that SSL clients
must support the SNI extension to use the web site.

Regards,
Bill Herrin




-- 
William Herrin ................ herrin at dirtside.com  bill at herrin.us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>



More information about the NANOG mailing list