Re: [certid] [TLS] [secdir] secdir

Martin Rex <mrex@sap.com> Wed, 22 September 2010 21:20 UTC

From: Martin Rex <mrex@sap.com>
Message-Id: <201009222120.o8MLKS7H005526@fs4113.wdf.sap.corp>
Orig-To: marsh@extendedsubset.com (Marsh Ray)
To: certid@ietf.org
Date: Wed, 22 Sep 2010 23:17:58 +0200 (MEST)
In-Reply-To: <4C9A5B13.1040802@extendedsubset.com> from "Marsh Ray" at Sep 22, 10 02:37:55 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Sender: mrex@sap.com
Cc: certid@ietf.org, tls@ietf.org
Subject: Re: [certid] [TLS] [secdir] secdir
Precedence: list
Reply-To: mrex@sap.com

Marsh Ray wrote:
> 
> On 09/22/2010 01:31 PM, ArkanoiD wrote:
> > BTW, slightly offtopic here: whenever i connect to gmail.com,
> > i get certificate for mail.google.com.
> > But i've yet to see any web browser to complain! Where is the magic?
> 
> Seems totally relevant to me.
> 
> Going to https://gmail.com/ I get some kind of redirection to 
> https://www.google.com/accounts/ServiceLogin...

When I check https://gmail.com/ with my own command line tool
(which doesn't send TLS extension SNI) I get back a cert with
only a  CN-ID for mail.google.com and no DNS-IDs along with
a certificat mismatch error from my tool.

When I trace a FF connect to https://gmail.com/ I see that FF
sends TLS extension SNI and the server returns a server certificate
with a CN-ID for gmail.com (again no DNS-IDs).

> 
> marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
> ...
> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
> issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA

Maybe the openssl s_client (at least the one that you are using or
in the fashion that you are using it) does not send TLS extension SNI ?

I'm confused about the IE8 vs. IE9 behaviour that you report--
could it be that for your IE8 is running on a platform that
does not implement TLS extensions (XP,2003) or has the
TLSv1.x protocols disabled for some reason? 

-Martin

[certid] Fwd: secdir review of draft-saintandre-t… Peter Saint-Andre
Re: [certid] Fwd: secdir review of draft-saintand… Henry B. Hotz
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of draft-saintand… Matt McCutchen
Re: [certid] Fwd: secdir review of draft-saintand… Phillip Hallam-Baker
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of Henry B. Hotz
Re: [certid] Fwd: secdir review of Martin Rex
Re: [certid] Fwd: secdir review of Martin Rex
[certid] DNSSEC-based name canonicalization Matt McCutchen
[certid] Wildcards for serving untrusted web cont… Matt McCutchen
Re: [certid] DNSSEC-based name canonicalization Martin Rex
Re: [certid] DNSSEC-based name canonicalization Peter Gutmann
Re: [certid] secdir review of draft-saintandre-tl… Peter Saint-Andre
Re: [certid] Fwd: secdir review of draft-saintand… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] secdir review of draft-saintandre-tl… Barry Leiba
Re: [certid] Fwd: secdir review of draft-saintand… Barry Leiba
Re: [certid] secdir review of draft-saintandre-tl… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… Jeffrey Hutzelman
Re: [certid] [secdir] secdir review of draft-sain… Jeffrey Hutzelman
Re: [certid] [secdir] secdir review of draft-sain… Peter Saint-Andre
Re: [certid] [secdir] secdir review of draft-sain… ArkanoiD
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
Re: [certid] [TLS] [secdir] secdir review of draf… Jeffrey A. Williams
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
Re: [certid] [TLS] [secdir] secdir Martin Rex
Re: [certid] [TLS] [secdir] secdir review of draf… Richard L. Barnes
Re: [certid] [TLS] [secdir] secdir review of draf… Marsh Ray
[certid] Bad certificate handling Matt McCutchen
Re: [certid] [TLS] [secdir] secdir review of Martin Rex
Re: [certid] [TLS] [secdir] secdir review of Robert Relyea
Re: [certid] [TLS] [secdir] secdir review of draf… =JeffH
Re: [certid] [TLS] [secdir] secdir review of Nicolas Williams
Re: [certid] DNSSEC-based name canonicalization Peter Saint-Andre