Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
Nasko Oskov <noskov@microsoft.com> Wed, 22 September 2010 21:11 UTC
Return-Path: <noskov@microsoft.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9677C3A6B5B for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rSFDxjGZOZP for <tls@core3.amsl.com>; Wed, 22 Sep 2010 14:11:39 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id B223F3A6B3D for <tls@ietf.org>; Wed, 22 Sep 2010 14:11:26 -0700 (PDT)
Received: from TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 22 Sep 2010 14:11:54 -0700
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14MLTC102.redmond.corp.microsoft.com (157.54.79.180) with Microsoft SMTP Server (TLS) id 14.1.218.12; Wed, 22 Sep 2010 14:11:52 -0700
Received: from TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com ([169.254.2.189]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Wed, 22 Sep 2010 14:11:53 -0700
From: Nasko Oskov <noskov@microsoft.com>
To: Marsh Ray <marsh@extendedsubset.com>, ArkanoiD <ark@eltex.net>
Thread-Topic: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
Thread-Index: AQHLWo27FlVfUGhUe0aet5tHjFf1WpMe4QEA//+eHKA=
Date: Wed, 22 Sep 2010 21:10:56 +0000
Deferred-Delivery: Wed, 22 Sep 2010 21:11:00 +0000
Message-ID: <B197003731D4874CA41DE7B446BBA3E86B133F95@TK5EX14MBXW652.wingroup.windeploy.ntdev.microsoft.com>
References: <AANLkTin6qXBOEJheaG8+SU=3k63Ed+3qXvoLHF5_hb6x@mail.gmail.com> <4C9A27D0.7030909@stpeter.im> <17472_1285173298_o8MGYvUB005723_AANLkTinAdE0qVxqUEBNe3ZWCry856bresv+x2Ga7Urju@mail.gmail.com> <86E28295D464B450ECA5B1D5@lysithea.fac.cs.cmu.edu> <20100922183143.GA23200@eltex.net> <4C9A5B13.1040802@extendedsubset.com> <4C9A5FA8.7050605@extendedsubset.com>
In-Reply-To: <4C9A5FA8.7050605@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Barry Leiba <barryleiba.mailing.lists@gmail.com>, "tls@ietf.org" <tls@ietf.org>, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls-server-id-check-09
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Sep 2010 21:12:00 -0000
X-List-Received-Date: Wed, 22 Sep 2010 21:12:00 -0000
>-----Original Message----- >From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Marsh >Ray >Sent: Wednesday, September 22, 2010 12:57 PM >To: ArkanoiD >Cc: IETF discussion list; secdir@ietf.org; Barry Leiba; IETF cert-based >identity; tls@ietf.org; Jeffrey Hutzelman >Subject: Re: [TLS] [certid] [secdir] secdir review of draft-saintandre-tls- >server-id-check-09 > >On 09/22/2010 01:31 PM, ArkanoiD wrote: > > BTW, slightly offtopic here: whenever i connect to gmail.com, i get > > certificate for mail.google.com. But i've yet to see any web browser > > to complain! Where is the magic? > >On 09/22/2010 02:37 PM, Marsh Ray wrote: >> >> Hopefully I'm overlooking something simple, but at first glance it would >> seem like either of these two conditions are true: >> >> 1. Multiple vendors are putting some kind of override table in their >> browsers with an entry for gmail.com. > >This search >http://mxr.mozilla.org/mozilla1.9.2/search?string=[^%40]gmail.com®exp=1& >hitlimit=&tree=mozilla1.9.2 > >Doesn't return any hits. That search page is a little tricky though. It >kept wanting to change my "^@" to "\0"! :-) > >Which suggests that: >> 2. Browsers are running script from badly authenticated sources. Or much simpler explanation. Gmail most likely uses SNI on the server side to select the proper certificate based on the client requesting host name. openssl s_client doesn't send the SNI to the server, so the default of mail.google.com is returned. If you use a browser with support for SNI, you won't see an error, since you get a proper cert. Just my own interpretation on what happens. Nasko
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] secdir review of draft-saintandre-tls-s… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [secdir] secdir review of draft-saintan… Jeffrey Hutzelman
- Re: [TLS] [secdir] secdir review of draft-saintan… Peter Saint-Andre
- Re: [TLS] [certid] [secdir] secdir review of draf… ArkanoiD
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Jeffrey A. Williams
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Nasko Oskov
- Re: [TLS] [certid] [secdir] secdir Martin Rex
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir Dr Stephen Henson
- Re: [TLS] [certid] [secdir] secdir review of draf… Steingruebl, Andy
- Re: [TLS] [certid] [secdir] Martin Rex
- Re: [TLS] secdir review of draft-saintandre-tls-s… Barry Leiba
- Re: [TLS] [certid] Fwd: secdir review of draft-sa… Barry Leiba
- Re: [TLS] [certid] [secdir] secdir review of draf… Marsh Ray
- Re: [TLS] [certid] [secdir] secdir review of draf… Richard L. Barnes
- Re: [TLS] [secdir] secdir review of Martin Rex
- Re: [TLS] [secdir] secdir review of Robert Relyea
- Re: [TLS] [secdir] secdir review of draft-saintan… =JeffH
- Re: [TLS] [secdir] secdir review of Nicolas Williams