CN doen't match to serverName

jd440 · May 3, 2018, 3:00pm

Hi

This could be the following of a previous thread i did

On my server, running on SNI and multiple domain and certificate.
All certs are checked, and OK with SSL Server Test (Powered by Qualys SSL Labs)

But trying to find solution to another issue I got I discover something Weird.

Let's say I Got

Browser, ssllabs, googletransparencyreport are giving me the correct CN

But when i checked with openssl I got something different

~$ openssl s_client -connect www.domain2.com:443 -prexit
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain1.com
verify return:1
---
Certificate chain
 0 s:/CN=domain1.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

As you could see CN are different from domain checked??

sahsanu · May 3, 2018, 3:06pm

Hi @jd440,

Executing that openssl s_client command you are not using SNI to connect to your server so the certificate served is the first certificate loaded by your web server, if you want to check an specific domain use -servername param.

openssl s_client -connect www.domain2.com:443 -servername www.domain2.com -prexit

Cheers,
sahsanu

jd440 · May 3, 2018, 3:18pm

@sahsanu thanks

So there is no way to hide link between domain

sahsanu · May 3, 2018, 3:21pm

You can made a conf file in your web server to be loaded the first and use whatever certificate you want for that virtual host.

rg305 · May 3, 2018, 7:10pm

The openssl connection translates the name to an IP.
So, it’s like saying:
openssl s_client -connect IP:443 -prexit

As @sahsanu pointed out, unless you pass the specific -servername it will use the IP and your config will serve up the default site (or the first to match) for that IP. Read up on SNI and how your web server handles it.
If you don’t want any particular site to be served by a direct IP request, make another vhost config that serves the *:80 and *:443 and is the default (or place it first on the process list of vhosts).

system · June 2, 2018, 7:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.