Perché non vi sono errori di certificato durante la visita a google.net anche se presenta un certificato rilasciato a google.com?

68

Il seguente output mostra che google.net presenta un certificato che è stato rilasciato a www.google.com .

$ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3296 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 74F80EC832F6806A3E10956F29A90BF423010BFBD8727BC171F9BFE39D3F89E9
    Session-ID-ctx: 
    Master-Key: 01F60D0A6DC7FF255D1C468EF06E5B7875A99E95C7FA8551F664A514B2EC5535EBB6E76E204743BF7D46F683B36E0988
    Key-Arg   : None
    Start Time: 1499657382
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Ho copiato il certificato in un file separato per analizzarlo.

$ cat cert.txt
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

Quindi visualizzo il certificato con OpenSSL CLI.

$ openssl x509 -in cert.txt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:18:f0:44:a8:f3:18:92
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Jun 28 10:07:46 2017 GMT
            Not After : Sep 20 09:27:00 2017 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:91:df:f8:10:02:c2:99:53:36:dc:ca:38:bd:fd:
                    90:10:a7:ff:b4:83:92:40:e2:3a:37:95:42:ab:be:
                    9c:99:e3:ea:ae:e0:cd:45:56:fe:21:dd:3b:75:44:
                    f2:05:bb:59:f0:52:8b:b3:5f:11:45:7d:34:67:ae:
                    62:0d:c6:14:ae:25:8f:a9:99:00:c7:c8:ac:43:96:
                    c4:2d:87:54:6b:de:20:74:04:d5:f9:7e:95:ee:f0:
                    56:d6:a2:06:15:38:5b:6d:4a:24:3e:11:2b:a3:56:
                    34:5a:f7:d5:35:f9:49:47:40:4a:d9:39:7d:c8:7c:
                    dc:bd:1d:0a:7c:3a:cc:e3:10:25:bd:3d:c8:81:bc:
                    82:b6:0d:cd:c4:05:33:4b:04:c9:a0:4c:b6:a5:37:
                    f8:1f:51:17:5c:50:40:c6:f2:af:f2:6a:dc:62:42:
                    78:3f:cb:a8:c9:9a:c8:ff:64:e6:e0:f3:3f:eb:f9:
                    f3:b9:2b:c9:f3:dd:f7:60:16:65:28:1a:0e:7e:b3:
                    61:f9:00:a0:6f:4e:68:00:0e:3d:f4:a6:0d:cf:91:
                    77:14:7d:30:64:a3:93:44:6a:0c:0b:4c:c1:17:36:
                    69:fb:9e:7b:3b:6b:a1:e8:00:e9:04:ae:5b:51:35:
                    93:7b:7d:4d:0e:5e:c8:20:7d:16:27:f3:06:14:31:
                    8b:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.google.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                88:FF:28:68:F3:5D:98:C9:73:75:B7:82:8D:64:C8:ED:D3:0E:7B:2A
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1
                Policy: 2.23.140.1.2.2

            X509v3 CRL Distribution Points: 
                URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha256WithRSAEncryption
        34:40:58:25:d5:4c:19:d6:f2:46:78:23:a1:9a:ff:53:eb:69:
        b7:b9:b8:3a:e6:ec:b9:d6:21:88:3a:37:1b:e0:e0:e9:18:e8:
        1e:c8:58:5e:b8:01:65:2a:f3:42:3b:fd:c8:6f:2a:74:b6:49:
        d1:75:a8:ee:6f:98:9d:cb:6c:bd:e5:d2:84:5b:72:0d:95:ba:
        f7:6b:52:a1:6f:38:1b:c2:a4:d0:4d:d1:57:8a:d9:27:62:3c:
        11:2e:10:6a:fa:34:a2:4e:80:72:20:5a:c0:25:87:ff:c2:74:
        38:f6:54:94:25:f4:9e:4c:b7:e6:96:89:7c:69:e4:03:b7:cf:
        ba:7d:59:ea:92:bd:8d:4f:6a:ed:5f:e2:59:31:8f:c5:f2:ee:
        37:e8:6c:ff:35:66:fa:13:da:eb:14:c1:c7:0a:e2:11:51:de:
        ed:a6:3f:90:75:1c:45:3a:62:cb:f3:ae:b8:d0:75:93:d1:ef:
        ca:98:26:2a:88:82:7d:d0:88:50:b7:13:0b:1f:80:2f:83:21:
        c1:fe:b7:15:59:aa:34:d9:77:30:22:1a:24:c7:8b:62:4d:35:
        d1:86:b1:dc:22:72:1e:34:6e:dc:ac:5b:ae:f3:c4:30:f6:a2:
        f1:60:ee:54:83:8f:bd:93:80:57:46:ed:38:c3:39:36:9a:96:
        f8:48:25:20
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

Non c'è alcuna menzione di google.net in nessuna parte del certificato.

Tuttavia, quando visito link reindirizza in modo trasparente il client per link .

$ curl -I https://google.net/
HTTP/1.1 302 Found
Location: https://www.google.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 10 Jul 2017 03:34:48 GMT
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=107=c9VFilfj0RLlIxvNfoJm1nETnE1IiUlg5TNL3GEs8oS_KWVWGEEcLIvQTSvtHjbwLSeqRVDpIYrqox24sE2ju7HbrSOqdu-3fNF7xzqHxV4I4YYeNiXjytTkYeKQ9inI; expires=Tue, 09-Jan-2018 03:34:48 GMT; path=/; domain=.google.net; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"

Vedo lo stesso comportamento anche con il browser.

Mi aspettavo che il ricciolo restituisse questo errore.

curl: (60) SSL certificate problem: Invalid certificate chain

Mi aspettavo che Firefox restituisse questo errore.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Mi aspettavo che Chrome restituisse questo errore.

NET::ERR_CERT_COMMON_NAME_INVALID

Tuttavia, tutti e tre i client si connettono al link e ottengono reindirizzato al link . Perché non c'è nessun errore nemmeno sebbene il nome comune nel campo Oggetto del certificato sia google.com ma il dominio a cui mi sto collegando è google.net?

    
posta Lone Learner 10.07.2017 - 05:55
fonte

1 risposta

96

buco SNI

Sei caduto in un "buco SNI" . Google presenterà un certificato diverso se non è presente "Indicazione nome server" indicato nella parte handshake TLS del client. OpenSSL non lo imposterà automaticamente. Devi farlo manualmente. Ma tutti i client web moderni, incluso CURL , dovrebbero farlo automaticamente. Quindi la differenza.

Uso di SNI con OpenSSL

Impostazione predefinita: senza SNI:

$ echo '' | openssl s_client -connect google.net:443 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
                DNS:www.google.com

Aggiunta manuale di SNI tramite il parametro -servername :

$ echo '' | openssl s_client -connect google.net:443 -servername google.net 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.net
                DNS:*.google.net, DNS:google.net

Diversi certificati vengono restituiti.

    
risposta data 10.07.2017 - 07:20
fonte

Leggi altre domande sui tag