Not logged in
Log in now
Create an account
Subscribe to LWN
Pencil, Pencil, and Pencil
Dividing the Linux desktop
LWN.net Weekly Edition for June 13, 2013
A report from pgCon 2013
Little things that matter in language design
Fraudulent certificates in the wild — again
Posted Jan 3, 2013 21:10 UTC (Thu) by cesarb (subscriber, #6266)
$ host blog.mozilla.com
blog.mozilla.com is an alias for blog.mozilla.org.
blog.mozilla.org has address 184.108.40.206
blog.mozilla.org has IPv6 address 2620:101:8008:5::2:5
$ openssl s_client -showcerts -connect 220.127.116.11:443
subject=/serialNumber=PJYd6s/lzd2zfglc6EAG5C/hVZfSySVY/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=IT/CN=blog.mozilla.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
With the latest Firefox, I get the certificate for CN=blog.mozilla.org, instead of the one for CN=blog.mozilla.com. This probably means the server is using SNI to select the correct certificate, and since his older browser did not support it, the server did not know which certificate to use and sent the wrong one.
Posted Jan 3, 2013 21:14 UTC (Thu) by cjr (subscriber, #88606)
Posted Jan 4, 2013 13:53 UTC (Fri) by bbaetz (subscriber, #42501)
Posted Jan 5, 2013 0:37 UTC (Sat) by Lennie (subscriber, #49641)
All versions of IE and Safari on XP or 2000 do not support SNI.
But also almost 50% of all Android phones do not support SNI, because Android 2.x does not support SNI.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds