Re: ARO Security

[William Herrin <bill () herrin us>]

On Mon, May 18, 2015 at 3:59 PM, Eric Oosting <eric.oosting () gmail com> wrote:
> On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt <
> nicholas.schmidt () controlgroup com> wrote:
> > 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
> > trying to use the wildcard for amsl.com
>
>
> I'm curious what is going on, but I wonder if it doesn't have something to
> do with the openssl command you've entered below.
>
> > $ openssl s_client -showcerts -connect secretariat.nanog.org:443

Hi Eric,

It does and it doesn't. The following openssl command gets the correct cert:

openssl s_client -servername secretariat.nanog.org -showcerts -connect
secretariat.nanog.org:443

The -servername parameter tells openssl to use the SSL Server Name
Indication extension. This allows multiple HTTPS web sites to live on
the same IP address much as the HTTP 1.1 Host header allowed multiple
regular HTTP web sites to live on the same IP address.



All "modern" web browsers support SNI. "Modern" doesn't go back
terribly far. "Older" implementations of HTTPS will get the wrong
certificate as shown. So, if you want to maximize compatibility, have
a talk with your vendor about a dedicated IP address for your HTTPS
server. Otherwise, make a note in your documentation that SSL clients
must support the SNI extension to use the web site.

Regards,
Bill Herrin




-- 
William Herrin ................ herrin () dirtside com  bill () herrin us
Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>