CN doen't match to serverName


#1

Hi

This could be the following of a previous thread i did

On my server, running on SNI and multiple domain and certificate.
All certs are checked, and OK with https://www.ssllabs.com/ssltest/

But trying to find solution to another issue I got I discover something Weird.

Let’s say I Got

Browser, ssllabs, googletransparencyreport are giving me the correct CN

But when i checked with openssl I got something different

~$ openssl s_client -connect www.domain2.com:443 -prexit
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain1.com
verify return:1
---
Certificate chain
 0 s:/CN=domain1.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

As you could see CN are different from domain checked??


#2

Hi @jd440,

Executing that openssl s_client command you are not using SNI to connect to your server so the certificate served is the first certificate loaded by your web server, if you want to check an specific domain use -servername param.

openssl s_client -connect www.domain2.com:443 -servername www.domain2.com -prexit

Cheers,
sahsanu


#3

@sahsanu thanks

So there is no way to hide link between domain


#4

You can made a conf file in your web server to be loaded the first and use whatever certificate you want for that virtual host.


#5

The openssl connection translates the name to an IP.
So, it’s like saying:
openssl s_client -connect IP:443 -prexit

As @sahsanu pointed out, unless you pass the specific -servername it will use the IP and your config will serve up the default site (or the first to match) for that IP. Read up on SNI and how your web server handles it.
If you don’t want any particular site to be served by a direct IP request, make another vhost config that serves the *:80 and *:443 and is the default (or place it first on the process list of vhosts).


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.