IETF Logo Mail Archive

Re: [TLS] [certid] [secdir] secdir

Dr Stephen Henson <lists@drh-consultancy.demon.co.uk> Wed, 22 September 2010 21:37 UTC

Return-Path: <lists@drh-consultancy.demon.co.uk>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3D3D28C12E for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:37:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.695
X-Spam-Level:
X-Spam-Status: No, score=0.695 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FB_WORD2_END_DOLLAR=3.294]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BEi8BB862ZxM for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:37:04 -0700 (PDT)
Received: from claranet-outbound-smtp06.uk.clara.net (claranet-outbound-smtp06.uk.clara.net [195.8.89.39]) by core3.amsl.com (Postfix) with ESMTP id 6DAE928C0EE for <tls@ietf.org>; Wed, 22 Sep 2010 14:36:26 -0700 (PDT)
Received: from drh-consultancy.demon.co.uk ([80.177.30.10]:49562 helo=[192.168.7.8]) by relay06.mail.eu.clara.net (relay.clara.net [213.253.3.46]:10587) with esmtpa (authdaemon_plain:drh) id 1OyWzk-0007k1-Jv for tls@ietf.org (return-path <lists@drh-consultancy.demon.co.uk>); Wed, 22 Sep 2010 21:36:52 +0000
Message-ID: <4C9A76F4.7080400@drh-consultancy.demon.co.uk>
Date: Wed, 22 Sep 2010 22:36:52 +0100
From: Dr Stephen Henson <lists@drh-consultancy.demon.co.uk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: tls@ietf.org
References: <201009222117.o8MLHwW4005093@fs4113.wdf.sap.corp>
In-Reply-To: <201009222117.o8MLHwW4005093@fs4113.wdf.sap.corp>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [TLS] [certid] [secdir] secdir
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 21:37:04 -0000

On 22/09/2010 22:17, Martin Rex wrote:
> Marsh Ray wrote:
>>
>> On 09/22/2010 01:31 PM, ArkanoiD wrote:
>>> BTW, slightly offtopic here: whenever i connect to gmail.com,
>>> i get certificate for mail.google.com.
>>> But i've yet to see any web browser to complain! Where is the magic?
>>
>> Seems totally relevant to me.
>>
>> Going to https://gmail.com/ I get some kind of redirection to 
>> https://www.google.com/accounts/ServiceLogin...
> 
> When I check https://gmail.com/ with my own command line tool
> (which doesn't send TLS extension SNI) I get back a cert with
> only a  CN-ID for mail.google.com and no DNS-IDs along with
> a certificat mismatch error from my tool.
> 
> When I trace a FF connect to https://gmail.com/ I see that FF
> sends TLS extension SNI and the server returns a server certificate
> with a CN-ID for gmail.com (again no DNS-IDs).
> 
> 
>>
>> marsh@lamb:/tmp$ openssl s_client -connect gmail.com:443
>> ...
>> subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com
>> issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
> 
> Maybe the openssl s_client (at least the one that you are using or
> in the fashion that you are using it) does not send TLS extension SNI ?
> 

Yes you need -servername gmail.com then you get back a CN of gmail.com also.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

v2.23.0 | Report a Bug | By Email