Pourquoi n'y a-t-il pas d'erreur de certificat lors de la visite de google.net alors qu'il présente un certificat délivré à google.com?
La sortie suivante montre que google.net présente un certificat qui a été délivré à www.google.com.
$ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3296 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 74F80EC832F6806A3E10956F29A90BF423010BFBD8727BC171F9BFE39D3F89E9
Session-ID-ctx:
Master-Key: 01F60D0A6DC7FF255D1C468EF06E5B7875A99E95C7FA8551F664A514B2EC5535EBB6E76E204743BF7D46F683B36E0988
Key-Arg : None
Start Time: 1499657382
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
J'ai copié-collé le certificat dans un fichier séparé pour l'analyser.
$ cat cert.txt
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
Ensuite, je visualise le certificat avec OpenSSL CLI.
$ openssl x509 -in cert.txt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:18:f0:44:a8:f3:18:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Jun 28 10:07:46 2017 GMT
Not After : Sep 20 09:27:00 2017 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:91:df:f8:10:02:c2:99:53:36:dc:ca:38:bd:fd:
90:10:a7:ff:b4:83:92:40:e2:3a:37:95:42:ab:be:
9c:99:e3:ea:ae:e0:cd:45:56:fe:21:dd:3b:75:44:
f2:05:bb:59:f0:52:8b:b3:5f:11:45:7d:34:67:ae:
62:0d:c6:14:ae:25:8f:a9:99:00:c7:c8:ac:43:96:
c4:2d:87:54:6b:de:20:74:04:d5:f9:7e:95:ee:f0:
56:d6:a2:06:15:38:5b:6d:4a:24:3e:11:2b:a3:56:
34:5a:f7:d5:35:f9:49:47:40:4a:d9:39:7d:c8:7c:
dc:bd:1d:0a:7c:3a:cc:e3:10:25:bd:3d:c8:81:bc:
82:b6:0d:cd:c4:05:33:4b:04:c9:a0:4c:b6:a5:37:
f8:1f:51:17:5c:50:40:c6:f2:af:f2:6a:dc:62:42:
78:3f:cb:a8:c9:9a:c8:ff:64:e6:e0:f3:3f:eb:f9:
f3:b9:2b:c9:f3:dd:f7:60:16:65:28:1a:0e:7e:b3:
61:f9:00:a0:6f:4e:68:00:0e:3d:f4:a6:0d:cf:91:
77:14:7d:30:64:a3:93:44:6a:0c:0b:4c:c1:17:36:
69:fb:9e:7b:3b:6b:a1:e8:00:e9:04:ae:5b:51:35:
93:7b:7d:4d:0e:5e:c8:20:7d:16:27:f3:06:14:31:
8b:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:www.google.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
88:FF:28:68:F3:5D:98:C9:73:75:B7:82:8D:64:C8:ED:D3:0E:7B:2A
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha256WithRSAEncryption
34:40:58:25:d5:4c:19:d6:f2:46:78:23:a1:9a:ff:53:eb:69:
b7:b9:b8:3a:e6:ec:b9:d6:21:88:3a:37:1b:e0:e0:e9:18:e8:
1e:c8:58:5e:b8:01:65:2a:f3:42:3b:fd:c8:6f:2a:74:b6:49:
d1:75:a8:ee:6f:98:9d:cb:6c:bd:e5:d2:84:5b:72:0d:95:ba:
f7:6b:52:a1:6f:38:1b:c2:a4:d0:4d:d1:57:8a:d9:27:62:3c:
11:2e:10:6a:fa:34:a2:4e:80:72:20:5a:c0:25:87:ff:c2:74:
38:f6:54:94:25:f4:9e:4c:b7:e6:96:89:7c:69:e4:03:b7:cf:
ba:7d:59:ea:92:bd:8d:4f:6a:ed:5f:e2:59:31:8f:c5:f2:ee:
37:e8:6c:ff:35:66:fa:13:da:eb:14:c1:c7:0a:e2:11:51:de:
ed:a6:3f:90:75:1c:45:3a:62:cb:f3:ae:b8:d0:75:93:d1:ef:
ca:98:26:2a:88:82:7d:d0:88:50:b7:13:0b:1f:80:2f:83:21:
c1:fe:b7:15:59:aa:34:d9:77:30:22:1a:24:c7:8b:62:4d:35:
d1:86:b1:dc:22:72:1e:34:6e:dc:ac:5b:ae:f3:c4:30:f6:a2:
f1:60:ee:54:83:8f:bd:93:80:57:46:ed:38:c3:39:36:9a:96:
f8:48:25:20
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
Il n'est pas fait mention de google.net n'importe où dans le certificat.
Cependant, lorsque je visite https://google.net/ , il redirige de manière transparente le client vers https://www.google.com/ .
$ curl -I https://google.net/
HTTP/1.1 302 Found
Location: https://www.google.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 10 Jul 2017 03:34:48 GMT
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=107=c9VFilfj0RLlIxvNfoJm1nETnE1IiUlg5TNL3GEs8oS_KWVWGEEcLIvQTSvtHjbwLSeqRVDpIYrqox24sE2ju7HbrSOqdu-3fNF7xzqHxV4I4YYeNiXjytTkYeKQ9inI; expires=Tue, 09-Jan-2018 03:34:48 GMT; path=/; domain=.google.net; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"
Je vois également le même comportement avec le navigateur.
Je m'attendais à ce que curl renvoie cette erreur.
curl: (60) SSL certificate problem: Invalid certificate chain
Je m'attendais à ce que Firefox renvoie cette erreur.
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Je m'attendais à Chrome pour renvoyer cette erreur.
NET::ERR_CERT_COMMON_NAME_INVALID
Cependant, les trois clients se connectent à https://google.net/ et sont redirigés vers https://www.google.com/ . Pourquoi n'y a-t-il pas d'erreur même si le nom commun dans le champ Objet du certificat est google.com mais que le domaine auquel je me connecte est google.net?
Trou SNI
Vous êtes tombé dans un "trou SNI" . Google présentera un certificat différent s'il n'y a pas "Server Name Indication" donné dans la partie de prise de contact TLS du client. OpenSSL ne définira pas cela automatiquement. Tu dois le faire manuellement. Mais tous les clients Web modernes, y compris CURL , devraient le faire automatiquement. D'où la différence.
Utilisation de SNI avec OpenSSL
Par défaut: sans SNI:
$ echo '' | openssl s_client -connect google.net:443 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
DNS:www.google.com
Ajout manuel de SNI via le -servername paramètre:
$ echo '' | openssl s_client -connect google.net:443 -servername google.net 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.net
DNS:*.google.net, DNS:google.net
Différents certificats sont retournés.