IETF Logo Mail Archive

Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09

Marsh Ray <marsh@extendedsubset.com> Wed, 22 September 2010 21:20 UTC

Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D29E3A69A4 for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.031
X-Spam-Level:
X-Spam-Status: No, score=-2.031 tagged_above=-999 required=5 tests=[AWL=0.568, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sZIY3aOUoR9c for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:20:27 -0700 (PDT)
Received: from mho-02-ewr.mailhop.org (mho-02-ewr.mailhop.org [204.13.248.72]) by core3.amsl.com (Postfix) with ESMTP id 61DD73A6B00 for <tls@ietf.org>; Wed, 22 Sep 2010 14:20:27 -0700 (PDT)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-02-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1OyWkC-0000No-Vx; Wed, 22 Sep 2010 21:20:50 +0000
Received: from [192.168.1.15] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id A04966019; Wed, 22 Sep 2010 21:20:46 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX18NyTPM138vJfMsJAQL7mW04kPUiq4iiLc=
Message-ID: <4C9A7330.3090001@extendedsubset.com>
Date: Wed, 22 Sep 2010 16:20:48 -0500
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.12) Gecko/20100915 Thunderbird/3.0.8
MIME-Version: 1.0
To: Nasko Oskov <noskov@microsoft.com>
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net> <4C9A5B13.1040802@extendedsubset.com> <4C9A5FA8.7050605@extendedsubset.com> <B197003731D4874CA41DE7B446BBA3E86B133F95@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <B197003731D4874CA41DE7B446BBA3E86B133F95@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: ArkanoiD <ark@eltex.net>, Barry Leiba <barryleiba.mailing.lists@gmail.com>, "tls@ietf.org" <tls@ietf.org>, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 21:20:29 -0000

On 09/22/2010 04:10 PM, Nasko Oskov wrote:
>
> Or much simpler explanation. Gmail most likely uses SNI on the server
> side to select the proper certificate based on the client requesting
> host name. openssl s_client doesn't send the SNI to the server, so
> the default of mail.google.com is returned. If you use a browser with
> support for SNI, you won't see an error, since you get a proper
> cert.
>
> Just my own interpretation on what happens.

Yep, that's it. I was able to get a gmail.com certificate out of the 
server by using a client which sent SNI.

On 09/22/2010 04:17 PM, Martin Rex wrote:
 > I'm confused about the IE8 vs. IE9 behaviour that you report--
 > could it be that for your IE8 is running on a platform that
 > does not implement TLS extensions (XP,2003) or has the
 > TLSv1.x protocols disabled for some reason?

Yep, svr2k3r2.

The Qualys SSL Labs assessment tool doesn't send SNI so consequently it 
gives all 'F's.
https://www.ssllabs.com/ssldb/analyze.html?d=gmail.com

Gmail.com may be the first major site to depend on SNI for proper operation.

So next time you hear someone saying they can't implement https because 
their site can't get its own IP yet it's too important to rely on 
extensions...

- Marsh

v2.23.0 | Report a Bug | By Email