Not a problem, just wondering why

mushu · March 25, 2019, 6:40pm

I’m checking out a website via Qualsys SSLlabs checker and get this cert info, and wondering what it means. Is the site hosted externally with a large ISP perhaps? Or can it be that the server is returning an extra certificate that it shouldn’t be? AFAIK it is hosted internally via Drupal on nginx (sorry for colors that’s this blog engine):

Certificate #1: RSA 2048 bits (SHA256withRSA)

Subject 5638404075159552-fe2.pantheonsite.io 
Fingerprint SHA256: 3c664bc10443f04a0d846c92fc0547ee92ff58473a9b7c4501c7e6add610013d
Pin SHA256: Q8h8cEcUrZgQzNTvKB1kgWQ6jigjjQ2Ox0Y7AQ86BZM=
Common names 5638404075159552-fe2.pantheonsite.io
Alternative names 5638404075159552-fe2.pantheonsite.io americartusa.com ascrsfoundation.org assist.ceh.ac.uk beefandlambnz.com bensonrolloff.com blog.angaza.com bluebonnetaquasystems.com career.titustalent.com crires.ulaval.ca cssrc.us dev.chs-urc.org dev.ppfaactioncouncils.org dev.wenturetech.com developer-dev.usga.org developer-qa.usga.org district37.cssrc.us dogtracks.zebradog.com fluffmoo.net fullcircledesign.co gerhartpools.net healthytrees.com housingforward.org hrpro.hr.wa.gov icpvegetation.ceh.ac.uk it.ohiochristian.edu jansson.corvenas.io jwcatering.com kabukisyndrome.com kha.com life.brandless.com limonforassembly.com longdogz.com monkeyfeverrisk.ceh.ac.uk moorlach.cssrc.us mscollision.com myclubhouseparty.com opportunitydetroit.com pacificislandfinancial.com pacislandfinancial.com providencesaintjosephbreasthealth.com rize3d.com sharingsolace.com skylinemarketingdept.com stagestoresunpaidwages.com test.vitanovarehab.com the-eleanor.com thecowboycorner.com themusicrun.com.sg thewawafoundation.org ucdintegrativemedicine.com vehiclebarcodescanner.com vinaesmeralda.com vitanovarehab.com vizientsouthernstates.com walkinthewoodswith.us wdfw.wa.gov wenturetech.com www.americartusa.com www.ascrsfoundation.org www.assist.ceh.ac.uk www.bar-fans.com www.bensonrolloff.com www.bluebonnetaquasystems.com www.crires.ulaval.ca www.cssrc.us www.docklite.com www.farmtreestoair.ceh.ac.uk www.fluffmoo.net www.gerhartpools.net www.griffinservice.com www.healthytrees.com www.housingforward.org www.jwcatering.com www.kabukisyndrome.com www.limonforassembly.com www.longdogz.com www.meetsam.app www.midwestfilm.com www.monkeyfeverrisk.ceh.ac.uk www.moorlach.cssrc.us www.mscollision.com www.myclubhouseparty.com www.opportunitydetroit.com www.pacificislandfinancial.com www.pacislandfinancial.com www.providencesaintjosephbreasthealth.com www.resilientinstitutionsafrica.com www.rize3d.com www.sharingsolace.com www.skylinemarketingdept.com www.stagestoresunpaidwages.com www.the-eleanor.com www.thecowboycorner.com www.themusicrun.com.sg www.thewawafoundation.org www.ucdintegrativemedicine.com www.vehiclebarcodescanner.com www.vizientsouthernstates.com www.wenturetech.com
Serial Number 04943f9e4144e612224d90895e2b3906ff5e
Valid from Thu, 21 Mar 2019 17:07:15 UTC
Valid until Wed, 19 Jun 2019 17:07:15 UTC (expires in 2 months and 24 days)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer Let's Encrypt Authority X3 
AIA: http://cert.int-x3.letsencrypt.org/
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information OCSP 
OCSP: http://ocsp.int-x3.letsencrypt.org
Revocation status Good (not revoked)
DNS CAA No 
Trusted Yes   Mozilla  Apple  Android  Java  Windows

…and…

Certificate #2: RSA 2048 bits (SHA256withRSA) No SNI

Server Key and Certificate #1
Subject *.getpantheon.com 
Fingerprint SHA256: 7761023ff4ba4b45c29af354255875ba57d6929179ccd0b7a75861c9685f8f36
Pin SHA256: m1kkceOTfyg+kIV8n2wjmjOE9Owo/gzZ2ySAm0Lvkb8=
Common names *.getpantheon.com
Alternative names *.getpantheon.com *.pantheon.io *.pantheonsite.io pantheonsite.io *.gotpantheon.com gotpantheon.com getpantheon.com    **MISMATCH**
Serial Number 06fcb0bbe23732d7bedf562d4367adfd
Valid from Wed, 06 Mar 2019 00:00:00 UTC
Valid until Mon, 30 Mar 2020 12:00:00 UTC (expires in 1 year)
Key RSA 2048 bits (e 65537)
Weak key (Debian) No
Issuer DigiCert SHA2 Secure Server CA 
AIA: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Signature algorithm SHA256withRSA
Extended Validation No
Certificate Transparency Yes (certificate)
OCSP Must Staple No
Revocation information CRL, OCSP 
CRL: http://crl3.digicert.com/ssca-sha2-g6.crl 
OCSP: http://ocsp.digicert.com
Revocation status Good (not revoked)
Trusted No    NOT TRUSTED   Mozilla  Apple  Android  Java  Windows

Thanks for any insight you can give.

Osiris · March 25, 2019, 6:54pm

The keyword (or sentence) here is the “No SNI” part.

For more information, see: https://en.wikipedia.org/wiki/Server_Name_Indication

mushu · March 25, 2019, 8:04pm

So the second cert is presented to the browser if it doesn’t understand SNI? Why all of the disparate domains in the first cert then?

schoen · March 25, 2019, 8:31pm

The first certificate seems to be a large one that was obtained by the hosting provider for many customers, while the second one seems to be the hosting provider’s own cert, which is served if it doesn’t know which particular site the visitor is trying to connect to (which is the no-SNI condition).

mushu · March 25, 2019, 8:57pm

So that means this is a hosted site on a large ISP and not a single site on a local server? Huh…

JuergenAuer · March 25, 2019, 9:00pm

Hi @mushu

you can see the same effect on smaller sites.

A wildcard as standard certificate, so all (customer specific) subdomains use that wildcard certificate.

Additional, some explicit certificates (www + non-www per domain) with SNI.

Result: Checking one of these explicit domains the wildcard certificate is shown - "without SNI".

mushu · March 25, 2019, 9:13pm

Sure, but does that mean all of those sites listed in that wildcard cert are hosted on that ISP server?

Osiris · March 25, 2019, 9:17pm

The wildcard cert isn’t interesting, that’s just a cert of the hosting provider.

The first certificate you presented is “sort of” more interesting. A small sample of those hostnames all resolve to the IP address 23.185.0.2, most of them through a CNAME pointing to fe2.edge.pantheon.io..

So yes, it seems many, if not all of those hostnames are hosted behind a single IP address on a large hosting provider called Pantheon.

schoen · March 25, 2019, 9:20pm

It’s possible that they have a CDN-like architecture and use something like proxy_pass to forward individual connections to individual servers, but the simplest interpretation would be that it’s hosted in a large shared environment.

mushu · March 25, 2019, 9:28pm

Okay that makes sense. I found it interesting that .gov sites were also hosted there, although I guess that doesn’t make it any less secure. It’s just that there are unique requirements for data and privacy that ISPs generally can’t accommodate since they have so many clients.

JuergenAuer · March 25, 2019, 9:41pm

Yes, that's possible. I have such a subdomain service, so every customer has a subdomain that works with the wildcard certificate. Some customers use own domains and have domain-specific certificates. They can use both - the subdomain and the own address.

mushu · March 25, 2019, 9:59pm

But I thought SNI was controlled by the server, not the certificate. Isn’t the cert just used as a kind of “key” to the “building front door”? After the door is opened the long hallway of SNI has many other doors but all have a different “nameplate” yet are in the same “building”. If you get that. So how does a cert control whether the client understands SNI, isn’t that part of the code in the browser? That’s why an old browser like IE 6 doesn’t know SNI but all new browsers do…or am I totally off-base here?

schoen · March 25, 2019, 10:07pm

SNI is presented before the server decides which certificate to show, unlike the HTTP Host: header, which is presented after. The server can choose a certificate on the basis of the SNI field (and usually does, in HTTPS virtual hosting, in order to ensure a certificate match and not generate a browser error!).

The server could then also choose a specific virtual host on the basis of the HTTP Host: header. Usually this header agrees with the SNI value; when they don’t agree, we have “domain fronting” if the server decides to prefer the Host: header’s indication over the SNI indication.

JuergenAuer · March 25, 2019, 10:23pm

A server can have something like a standard vHost. If there is no special hostname defined, this standard vHost is used. There is the wildcard certificate (worked without SNI).

With SNI, it's possible to define different vHosts (bindings) with individual hostnames and certificates.

Result:

customername.example.com -> *.example.com - certificate.

www.customername.com -> www.customername.com - certificate.

system · April 24, 2019, 10:23pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.