OpenSSL::X509::Certificate 显示错误域的证书
OpenSSL::X509::Certificate Showing Certificate for Wrong Domain
我正在遍历域列表以查看是否 a) 有 443 个侦听器和 b) 收集 ssl 证书到期、签名算法和通用名称。所有具有 443 侦听器的域都报告了正确的 ssl 证书(与 Chrome 报告的相匹配),但是,有一个域没有正确报告 - myproair.com,它报告了一个证书parkinsonsed.com - 有什么想法吗?
# ssl cert lookup
begin
timeout(1) do
tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
ssl_client.connect
cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
ssl_client.sysclose
tcp_client.close
#http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
date = Date.parse((cert.not_after).to_s)
row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
end
rescue SocketError
row.push("down".ljust(57))
rescue Errno::ECONNREFUSED
row.push("connection refused".ljust(57))
rescue Errno::ECONNRESET
row.push("connection reset".ljust(57))
rescue Timeout::Error
row.push("no 443 listener".ljust(57))
rescue Exception => ex
row.push("error: #{ex.class}".ljust(57))
end
更新:以下是我正在使用的版本:
$ ruby --version
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14]
$ openssl version
OpenSSL 0.9.8zc 15 Oct 2014
我使用带有 -connect、-tls1 和 -servername 选项的 OpenSSL s_client 验证了 SNI 扩展正在 ClientHello 中发送。
however, there is one domain that does not report correctly - myproair.com, which reports a certificate for parkinsonsed.com - any ideas?
看起来共享主机与 SSL 相结合是罪魁祸首。显然,parkinsonsed.com 是服务器的默认站点。
你应该使用SNI to overcome the limitations. SNI is available in TLS 1.0 and above. Also see
myproair.com,有 SSLv3,没有 SNI:
$ openssl s_client -ssl3 -connect myproair.com:443 | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:parkinsonsed.com, DNS:www.parkinsonsed.com, DNS:test.parkinsonsed.com, DNS:dev.parkinsonsed.com
myproair.com,使用 TLS 1.0 和 SNI:
$ openssl s_client -tls1 -connect myproair.com:443 -servername myproair.com | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:myproair.com, DNS:www.myproair.com, DNS:dev.myproair.com, DNS:test.myproair.com
我正在遍历域列表以查看是否 a) 有 443 个侦听器和 b) 收集 ssl 证书到期、签名算法和通用名称。所有具有 443 侦听器的域都报告了正确的 ssl 证书(与 Chrome 报告的相匹配),但是,有一个域没有正确报告 - myproair.com,它报告了一个证书parkinsonsed.com - 有什么想法吗?
# ssl cert lookup
begin
timeout(1) do
tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
ssl_client.connect
cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
ssl_client.sysclose
tcp_client.close
#http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
date = Date.parse((cert.not_after).to_s)
row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
end
rescue SocketError
row.push("down".ljust(57))
rescue Errno::ECONNREFUSED
row.push("connection refused".ljust(57))
rescue Errno::ECONNRESET
row.push("connection reset".ljust(57))
rescue Timeout::Error
row.push("no 443 listener".ljust(57))
rescue Exception => ex
row.push("error: #{ex.class}".ljust(57))
end
更新:以下是我正在使用的版本:
$ ruby --version
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14]
$ openssl version
OpenSSL 0.9.8zc 15 Oct 2014
我使用带有 -connect、-tls1 和 -servername 选项的 OpenSSL s_client 验证了 SNI 扩展正在 ClientHello 中发送。
however, there is one domain that does not report correctly - myproair.com, which reports a certificate for parkinsonsed.com - any ideas?
看起来共享主机与 SSL 相结合是罪魁祸首。显然,parkinsonsed.com 是服务器的默认站点。
你应该使用SNI to overcome the limitations. SNI is available in TLS 1.0 and above. Also see
myproair.com,有 SSLv3,没有 SNI:
$ openssl s_client -ssl3 -connect myproair.com:443 | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:parkinsonsed.com, DNS:www.parkinsonsed.com, DNS:test.parkinsonsed.com, DNS:dev.parkinsonsed.com
myproair.com,使用 TLS 1.0 和 SNI:
$ openssl s_client -tls1 -connect myproair.com:443 -servername myproair.com | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:myproair.com, DNS:www.myproair.com, DNS:dev.myproair.com, DNS:test.myproair.com