Bertalan Zoltán Péter writes:
> Mainly, my problem is that I am unsure in general about this setup (the
> manual doesn't have an example for this and I struggle to find any guide
> online) and that I can see relayd not using the correct keypairs:
>
> ---8<---
> $ openssl s_client -connect example.com:443 | grep CN
> [...]
> depth=0 CN = example.com
> [...]
> subject=/CN=example.com
> [...]
>
> $ openssl s_client -connect matrix.example.com:443 | grep CN
> [...]
> depth=0 CN = example.com
> [...]
> subject=/CN=example.com
> [...]
> ---8<---
>
> If I am not mistaken, the CN for the second request should be
> 'matrix.example.com' if it were to work as I would like.
I don't claim to understand all of openssl's output, but when I try
it on my certs I get various CNs that I don't expect either, even
though I'm quite confident the certificate has a valid hostname.
For a simpler test, try ftp(1), which will fail if the certificate
hostname doesn't match the domain visited:
$ ftp -o - https://wrong.host.badssl.com/
Trying 104.154.89.105...
Requesting https://wrong.host.badssl.com/
ftp: SSL write error: name `wrong.host.badssl.com' not present in server certificate
--
Anthony J. Bentley
No comments:
Post a Comment