OpenSSL :: X509 :: Certificate Validating Invalid Domain
I am looping through the list of domains to see if there are a) 443 listeners and b) collect the ssl cert expiration, signature algorithm and common name. All domains that have listener 443 report the correct ssl certificate (matching what Chrome reports), however there is one domain that doesn't report correctly - myproair.com, which reports the certificate for parkinsonsed.com - any ideas
# ssl cert lookup
begin
timeout(1) do
tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
ssl_client.connect
cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
ssl_client.sysclose
tcp_client.close
#http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
date = Date.parse((cert.not_after).to_s)
row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
end
rescue SocketError
row.push("down".ljust(57))
rescue Errno::ECONNREFUSED
row.push("connection refused".ljust(57))
rescue Errno::ECONNRESET
row.push("connection reset".ljust(57))
rescue Timeout::Error
row.push("no 443 listener".ljust(57))
rescue Exception => ex
row.push("error: #{ex.class}".ljust(57))
end
Refresh . Here are the versions I'm working with:
$ ruby --version
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14]
$ openssl version
OpenSSL 0.9.8zc 15 Oct 2014
I have verified that the SNI extension is sent to ClientHello
using OpenSSL s_client
with parameters -connect
, -tls1
and -servername
.
source to share
however there is one domain that is not reporting correctly - myproair.com, which reports the certificate for parkinsonsed.com - any ideas?
It looks like shared hosting combined with SSL is the culprit. Apparently parkinsonsed.com is the server's default site.
To overcome the limitations, you must use SNI . SNI is available in TLS 1.0 and higher. Also see Server Name Pointer Support in Net :: HTTP?
myproair.com, with SSLv3 and SNI :
$ openssl s_client -ssl3 -connect myproair.com:443 | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:parkinsonsed.com, DNS:www.parkinsonsed.com, DNS:test.parkinsonsed.com, DNS:dev.parkinsonsed.com
myproair.com, with TLS 1.0 and SNI :
$ openssl s_client -tls1 -connect myproair.com:443 -servername myproair.com | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name:
DNS:myproair.com, DNS:www.myproair.com, DNS:dev.myproair.com, DNS:test.myproair.com
source to share