web-dev-qa-db-fra.com

Pourquoi n'y a-t-il pas d'erreur de certificat lors de la visite de google.net alors qu'il présente un certificat délivré à google.com?

La sortie suivante montre que google.net présente un certificat qui a été délivré à www.google.com.

$ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3296 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 74F80EC832F6806A3E10956F29A90BF423010BFBD8727BC171F9BFE39D3F89E9
    Session-ID-ctx: 
    Master-Key: 01F60D0A6DC7FF255D1C468EF06E5B7875A99E95C7FA8551F664A514B2EC5535EBB6E76E204743BF7D46F683B36E0988
    Key-Arg   : None
    Start Time: 1499657382
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

J'ai copié-collé le certificat dans un fichier séparé pour l'analyser.

$ cat cert.txt
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

Ensuite, je visualise le certificat avec OpenSSL CLI.

$ openssl x509 -in cert.txt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:18:f0:44:a8:f3:18:92
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Jun 28 10:07:46 2017 GMT
            Not After : Sep 20 09:27:00 2017 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:91:df:f8:10:02:c2:99:53:36:dc:ca:38:bd:fd:
                    90:10:a7:ff:b4:83:92:40:e2:3a:37:95:42:ab:be:
                    9c:99:e3:ea:ae:e0:cd:45:56:fe:21:dd:3b:75:44:
                    f2:05:bb:59:f0:52:8b:b3:5f:11:45:7d:34:67:ae:
                    62:0d:c6:14:ae:25:8f:a9:99:00:c7:c8:ac:43:96:
                    c4:2d:87:54:6b:de:20:74:04:d5:f9:7e:95:ee:f0:
                    56:d6:a2:06:15:38:5b:6d:4a:24:3e:11:2b:a3:56:
                    34:5a:f7:d5:35:f9:49:47:40:4a:d9:39:7d:c8:7c:
                    dc:bd:1d:0a:7c:3a:cc:e3:10:25:bd:3d:c8:81:bc:
                    82:b6:0d:cd:c4:05:33:4b:04:c9:a0:4c:b6:a5:37:
                    f8:1f:51:17:5c:50:40:c6:f2:af:f2:6a:dc:62:42:
                    78:3f:cb:a8:c9:9a:c8:ff:64:e6:e0:f3:3f:eb:f9:
                    f3:b9:2b:c9:f3:dd:f7:60:16:65:28:1a:0e:7e:b3:
                    61:f9:00:a0:6f:4e:68:00:0e:3d:f4:a6:0d:cf:91:
                    77:14:7d:30:64:a3:93:44:6a:0c:0b:4c:c1:17:36:
                    69:fb:9e:7b:3b:6b:a1:e8:00:e9:04:ae:5b:51:35:
                    93:7b:7d:4d:0e:5e:c8:20:7d:16:27:f3:06:14:31:
                    8b:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.google.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                88:FF:28:68:F3:5D:98:C9:73:75:B7:82:8D:64:C8:ED:D3:0E:7B:2A
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1
                Policy: 2.23.140.1.2.2

            X509v3 CRL Distribution Points: 
                URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha256WithRSAEncryption
        34:40:58:25:d5:4c:19:d6:f2:46:78:23:a1:9a:ff:53:eb:69:
        b7:b9:b8:3a:e6:ec:b9:d6:21:88:3a:37:1b:e0:e0:e9:18:e8:
        1e:c8:58:5e:b8:01:65:2a:f3:42:3b:fd:c8:6f:2a:74:b6:49:
        d1:75:a8:ee:6f:98:9d:cb:6c:bd:e5:d2:84:5b:72:0d:95:ba:
        f7:6b:52:a1:6f:38:1b:c2:a4:d0:4d:d1:57:8a:d9:27:62:3c:
        11:2e:10:6a:fa:34:a2:4e:80:72:20:5a:c0:25:87:ff:c2:74:
        38:f6:54:94:25:f4:9e:4c:b7:e6:96:89:7c:69:e4:03:b7:cf:
        ba:7d:59:ea:92:bd:8d:4f:6a:ed:5f:e2:59:31:8f:c5:f2:ee:
        37:e8:6c:ff:35:66:fa:13:da:eb:14:c1:c7:0a:e2:11:51:de:
        ed:a6:3f:90:75:1c:45:3a:62:cb:f3:ae:b8:d0:75:93:d1:ef:
        ca:98:26:2a:88:82:7d:d0:88:50:b7:13:0b:1f:80:2f:83:21:
        c1:fe:b7:15:59:aa:34:d9:77:30:22:1a:24:c7:8b:62:4d:35:
        d1:86:b1:dc:22:72:1e:34:6e:dc:ac:5b:ae:f3:c4:30:f6:a2:
        f1:60:ee:54:83:8f:bd:93:80:57:46:ed:38:c3:39:36:9a:96:
        f8:48:25:20
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

Il n'est pas fait mention de google.net n'importe où dans le certificat.

Cependant, lorsque je visite https://google.net/ , il redirige de manière transparente le client vers https://www.google.com/ .

$ curl -I https://google.net/
HTTP/1.1 302 Found
Location: https://www.google.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 10 Jul 2017 03:34:48 GMT
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=107=c9VFilfj0RLlIxvNfoJm1nETnE1IiUlg5TNL3GEs8oS_KWVWGEEcLIvQTSvtHjbwLSeqRVDpIYrqox24sE2ju7HbrSOqdu-3fNF7xzqHxV4I4YYeNiXjytTkYeKQ9inI; expires=Tue, 09-Jan-2018 03:34:48 GMT; path=/; domain=.google.net; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"

Je vois également le même comportement avec le navigateur.

Je m'attendais à ce que curl renvoie cette erreur.

curl: (60) SSL certificate problem: Invalid certificate chain

Je m'attendais à ce que Firefox renvoie cette erreur.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Je m'attendais à Chrome pour renvoyer cette erreur.

NET::ERR_CERT_COMMON_NAME_INVALID

Cependant, les trois clients se connectent à https://google.net/ et sont redirigés vers https://www.google.com/ . Pourquoi n'y a-t-il pas d'erreur même si le nom commun dans le champ Objet du certificat est google.com mais que le domaine auquel je me connecte est google.net?

69
Lone Learner

Trou SNI

Vous êtes tombé dans un "trou SNI" . Google présentera un certificat différent s'il n'y a pas "Server Name Indication" donné dans la partie de prise de contact TLS du client. OpenSSL ne définira pas cela automatiquement. Tu dois le faire manuellement. Mais tous les clients Web modernes, y compris CURL , devraient le faire automatiquement. D'où la différence.

Utilisation de SNI avec OpenSSL

Par défaut: sans SNI:

$ echo '' | openssl s_client -connect google.net:443 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
                DNS:www.google.com

Ajout manuel de SNI via le -servername paramètre:

$ echo '' | openssl s_client -connect google.net:443 -servername google.net 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.net
                DNS:*.google.net, DNS:google.net

Différents certificats sont retournés.

97
StackzOfZtuff