This could be the following of a previous thread i did
On my server, running on SNI and multiple domain and certificate.
All certs are checked, and OK with SSL Server Test (Powered by Qualys SSL Labs)
But trying to find solution to another issue I got I discover something Weird.
Let's say I Got
Browser, ssllabs, googletransparencyreport are giving me the correct CN
But when i checked with openssl I got something different
~$ openssl s_client -connect www.domain2.com:443 -prexit
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
depth=0 CN = domain1.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
As you could see CN are different from domain checked??
openssl s_client command you are not using SNI to connect to your server so the certificate served is the first certificate loaded by your web server, if you want to check an specific domain use
openssl s_client -connect www.domain2.com:443 -servername www.domain2.com -prexit
So there is no way to hide link between domain
You can made a conf file in your web server to be loaded the first and use whatever certificate you want for that virtual host.
The openssl connection translates the name to an IP.
So, it’s like saying:
openssl s_client -connect IP:443 -prexit
As @sahsanu pointed out, unless you pass the specific
-servername it will use the IP and your config will serve up the default site (or the first to match) for that IP. Read up on SNI and how your web server handles it.
If you don’t want any particular site to be served by a direct IP request, make another vhost config that serves the *:80 and *:443 and is the default (or place it first on the process list of vhosts).
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.