Re: https://wiki.freebsd.org/ certificate error
On 2 March 2013 07:48, Jeremy Chadwick j...@koitsu.org wrote: (Please keep me CC'd as I'm not subscribed to -questions) (I'm CC'ing Simon Nielsen who maintains the FreeBSD webserver cluster, as this obviously needs to be looked at.) [...] NOW BACK TO THE ACTUAL PROBLEM REPORTED -- It appears that whoever maintains the FreeBSD webservers in the cluster **assumes** that the connecting client supports SNI. That assumption, as someone who ran a hosting organisation since 1993, is rude (some might say bad, but I would say rude). Web browsers/clients that don't support SNI are screwed -- they'll receive a certificate validation failure error. Internet Explorer 6.x through 8.x -- newer is not available on Windows XP -- do not support SNI (this is even mentioned in the above Wikipedia page). They return the error There is a problem with this website's security certificate due to lack of SNI support. Let me be clear: THIS IS NOT THE FAULT (OR AGE) OF THE OS. THIS HAS TO DO WITH THE WEB BROWSER. Why? Because Firefox 19.0 on Windows XP works just fine, as it supports SNI. AFAIR the problem is that some crypto library on Windows XP does not support SNI. IE uses it, Firefox and others probably don't. So how do you solve this problem for legacy clients? Simple: By dedicating an IP address to the SSL-based virtualhost/webserver (i.e. one IP address per SSL-based virtual host), and do away with name-based vhosting for SSL. That's the only way. I agree that SNI is suboptimal, unfortunately it was the best of bad solutions: - We just don't have enough IPv4 addresses to dedicate one per virtual hostname. - We could use IPv6 only which means excluding even more legacy clients. - Bundling all sites under www.freebsd.org creates problems with cookies, more pain in configuration, and less flexibility in moving things around. - Using SubjectAlternatName (SAN) certificates where strongly considered, but fewer CA's support them (most have no clue) and it becomes a lot more painful to add new hosts. Those are also not fully supported by all older OS'es still in use. -- Simon L. B. Nielsen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Sat, 2 Mar 2013 06:12:22 +0100 Polytropon articulated: On Fri, 01 Mar 2013 10:42:58 -0500, Fbsd8 wrote: Javad Kouhi wrote: Also no problem with FreeBSD 9.1 and chromium. But sometimes ago I have this problem with all https sites. because the government forged the wrong SSL certificate and my browser and my browser warned me about it. Do you have this problem with other websites? On Fri, Mar 1, 2013 at 6:02 PM, Zyumbilev, Peter pe...@aboutsupport.comwrote: On 01/03/2013 16:14, Ralf Mardorf wrote: [1] $ firefox -version Mozilla Firefox 19.0 No problem with SeaMonkey 2.16. I use xp browser and it's certificate checking is enabled. You are sure using a more than 10 year old system should be considered safe enough to provide a reference? Maybe the browsers running from xorg desktops are NOT certificate aware so them not getting the error warning would be expected. They are. Or to be correct: The most prominent ones are, like Firefox, Chrome, and Opera. More lightweight browsers like dillo actually might not have this functionality. The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. As it has been mentioned, one certificate can be used for several IP addresses. Both www and wiki are located at 8.8.178.110 (returned by host command), so there might be a DNS issue or something comparable strange... I've checked with Opera 11.50 here, no problems. I think Brad Mettee nailed it with his response. quote And in this particular case, the certificate is for www.freebsd.org and freebsd.org, and the browser is complaining because it's being used on wiki.freebsd.org. Their certificate should have been issued for *.freebsd.org instead of just the main site name. Unfortunately I think all of the certificate issuers charge big $$$ for that type of cert.. /quote I have seen this sort of thing several times before with different sites. The older versions of Firefox never picked up on it as often as IE would. I just tried this site using IE and immediately received the error message. The message stating: The security certificate presented by this website was issued for a different website's address. Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. It then went on to give me the normal options of leaving the site or ignoring the error. Interestingly enough, Firefox, on the same machine, does not provide any indication that the certificate is questionable. Given the choice of being warned about a questionable certificate or having the browser silently ignore it, I would choose to be warned about it. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
https://wiki.freebsd.org/ certificate error
When my browser access wiki.freebsd.org I get certificate error message. Who should I notify about this problem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 2013-03-01 at 09:08 -0500, Fbsd8 wrote: When my browser access wiki.freebsd.org I get certificate error message. Who should I notify about this problem? No error here, with Firefox [1] Arch Linux. Regards, Ralf [1] $ firefox -version Mozilla Firefox 19.0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On 01/03/2013 16:14, Ralf Mardorf wrote: [1] $ firefox -version Mozilla Firefox 19.0 No problem with SeaMonkey 2.16. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 08:08:17 -0600, fb...@a1poweruser.com wrote: When my browser access wiki.freebsd.org I get certificate error message. Who should I notify about this problem?] What do you get for results when you run # openssl s_client -showcerts -connect wiki.freebsd.org:443 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
Also no problem with FreeBSD 9.1 and chromium. But sometimes ago I have this problem with all https sites. because the government forged the wrong SSL certificate and my browser and my browser warned me about it. Do you have this problem with other websites? On Fri, Mar 1, 2013 at 6:02 PM, Zyumbilev, Peter pe...@aboutsupport.comwrote: On 01/03/2013 16:14, Ralf Mardorf wrote: [1] $ firefox -version Mozilla Firefox 19.0 No problem with SeaMonkey 2.16. Peter ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 1 Mar 2013 08:37:40 -0600 Mark Felder articulated: On Fri, 01 Mar 2013 08:08:17 -0600, fb...@a1poweruser.com wrote: When my browser access wiki.freebsd.org I get certificate error message. Who should I notify about this problem?] What do you get for results when you run # openssl s_client -showcerts -connect wiki.freebsd.org:443 I am not sure what he gets, but I receive this: openssl s_client -showcerts -connect wiki.freebsd.org:443 CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.freebsd.org i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA -BEGIN CERTIFICATE- MIIE3TCCA8WgAwIBAgIQStABQicagmyUdAdcZdHhbzANBgkqhkiG9w0BAQUFADBB MQswCQYDVQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5k aSBTdGFuZGFyZCBTU0wgQ0EwHhcNMTMwMTA5MDAwMDAwWhcNMTQwMTA5MjM1OTU5 WjBaMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsT EkdhbmRpIFN0YW5kYXJkIFNTTDEYMBYGA1UEAxMPd3d3LmZyZWVic2Qub3JnMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAte4et1M/Tzm1DnYdOkcg/TGP mspy7s6Rl1+G8ttVpMNYCYU4DZl4xMKsG6h0lc3n9eb86utvK5RWzpnb7+x+Pgtc yrJAgZAcI4qHmVZHllb+H4iUjNezhw4u4wxyJVx31UO0Z300R8VRBHbEhoyAKOMW qeqjE/H0rPrFzuxjf0yYHkAvb9AyrZ1D+TNSd5T+k9CEFFYiRE8Xe8t+i5agf2Mc CPcwp3RsHDnQ3JbvBF6HuuALFHt1wKSXFUs9nFKrqzG9LMqGqxAf/olbZ1gNnSyl rtRhCe9pLAk61VqKM8sf1B7b9cWvwRk32VEpmt5xXmT1ns198HMd1YXHuTLM/wID AQABo4IBtjCCAbIwHwYDVR0jBBgwFoAUtqj/oqgv0KbNS7Fo8+dQEDGneSEwHQYD VR0OBBYEFCdXnnMlBPMrCVsPEMbqP43RhF7oMA4GA1UdDwEB/wQEAwIFoDAMBgNV HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBgBgNVHSAE WTBXMEsGCysGAQQBsjEBAgIaMDwwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZ2Fu ZGkubmV0L2NvbnRyYWN0cy9mci9zc2wvY3BzL3BkZi8wCAYGZ4EMAQIBMDwGA1Ud HwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuZ2FuZGkubmV0L0dhbmRpU3RhbmRhcmRT U0xDQS5jcmwwagYIKwYBBQUHAQEEXjBcMDcGCCsGAQUFBzAChitodHRwOi8vY3J0 LmdhbmRpLm5ldC9HYW5kaVN0YW5kYXJkU1NMQ0EuY3J0MCEGCCsGAQUFBzABhhVo dHRwOi8vb2NzcC5nYW5kaS5uZXQwJwYDVR0RBCAwHoIPd3d3LmZyZWVic2Qub3Jn ggtmcmVlYnNkLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAnTfCort6uF+Zqif1ZjWd OBxZdJCc6JX531Z7nMBQSdNnYmjmU5lGFV+3hA3lHfQ/wmwEKJa40UbSDyzfEXNB +AxCrCFSNA1IdrVTFgPfxA1kAPeji+ufR5Btgi4KV3+Nfi7wE8pjcExAuRRVdw6G 3ziscirNeywmQxiTN/eybmvCrCjtck5aBQpPS7lunYtVjaqAyI6blJpWt8zoBggh 8B6jweGtxq/YaFq4iwiUwIbR2DF0oDeJy0/JqyS5EZE2cjB4b4adBigKjK21FFJO YzcKX/xBrL+LB6WSUbl3xVywtdtBVexJlJquIjYwv+fvuuMsxTKiYuVJillqIRaN uQ== -END CERTIFICATE- 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware -BEGIN CERTIFICATE- MIIEozCCA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt SGFyZHdhcmUwHhcNMDgxMDIzMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBBMQswCQYD VQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFu ZGFyZCBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VD2l 2w0ieFBqWiOJP5eh1AcaqVgIm6AVwzK2t/HouaVvrTf2bnEbtHUtSF6fxhWqge/l xIiVijpsd8y1zWXkZ+VzyVBSlMEnST6ga0EWQbaUmUGuPsviBkYJ6U2+yUxVqRh+ pt9u/UqyzGxO2chQFZOz8unjwmqtOtX7w3lQnyV5KbJHZHwgPuIITZMpFLY0bs9x Rn52EPT9bKoB0sIG3pKDzFiQLpLeHmW3Yy89sutwjEzgvhWd3sFNVvgLxo4HuV3f lfB7QB8aLNecK0t29Fn1Q8EsZhCenmaWYJ0cdBtOGFwIsG5symkaAum7ynjvZi7j Mv1BXJV0gU302v5LAgMBAAGjggE+MIIBOjAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd BzfVhZadS9LDRTAdBgNVHQ4EFgQUtqj/oqgv0KbNS7Fo8+dQEDGneSEwDgYDVR0P AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE AbIxAQICGjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5j b20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwdAYIKwYBBQUHAQEEaDBmMD0G CCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRkVHJ1c3RT ZXJ2ZXJfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAZU78DPZvia1r9ukkfT+zhxoI5PNIDBA+r ez6CqYUQH/TeMq9YP/9w8zAdly1MmuLsDD4ULS+YSJ2uFmqsLUKqtWSkcLvrc5R7
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 09:23:25 -0600, je...@seibercom.net wrote: I am not sure what he gets, but I receive this: That Gandi certificate is correct. I wonder if he's got some strange MITM going on. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
Javad Kouhi wrote: Also no problem with FreeBSD 9.1 and chromium. But sometimes ago I have this problem with all https sites. because the government forged the wrong SSL certificate and my browser and my browser warned me about it. Do you have this problem with other websites? On Fri, Mar 1, 2013 at 6:02 PM, Zyumbilev, Peter pe...@aboutsupport.comwrote: On 01/03/2013 16:14, Ralf Mardorf wrote: [1] $ firefox -version Mozilla Firefox 19.0 No problem with SeaMonkey 2.16. Peter I use xp browser and it's certificate checking is enabled. Maybe the browsers running from xorg desktops are NOT certificate aware so them not getting the error warning would be expected. The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 09:42:58 -0600, fb...@a1poweruser.com wrote: The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. You can put a certificate on any IP address you want. It's not embedded into the certificate. For the most part it only matters that the CommonName on the certificate matches the hostname of the website and the certificate chain is valid. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On 3/1/2013 11:11 AM, Mark Felder wrote: On Fri, 01 Mar 2013 09:42:58 -0600, fb...@a1poweruser.com wrote: The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. You can put a certificate on any IP address you want. It's not embedded into the certificate. For the most part it only matters that the CommonName on the certificate matches the hostname of the website and the certificate chain is valid. And in this particular case, the certificate is for www.freebsd.org and freebsd.org, and the browser is complaining because it's being used on wiki.freebsd.org. Their certificate should have been issued for *.freebsd.org instead of just the main site name. Unfortunately I think all of the certificate issuers charge big $$$ for that type of cert.. -- Brad Mettee ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 10:40:48 -0600, Brad Mettee bmet...@pchotshots.com wrote: On 3/1/2013 11:11 AM, Mark Felder wrote: On Fri, 01 Mar 2013 09:42:58 -0600, fb...@a1poweruser.com wrote: The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. You can put a certificate on any IP address you want. It's not embedded into the certificate. For the most part it only matters that the CommonName on the certificate matches the hostname of the website and the certificate chain is valid. And in this particular case, the certificate is for www.freebsd.org and freebsd.org, and the browser is complaining because it's being used on wiki.freebsd.org. Their certificate should have been issued for *.freebsd.org instead of just the main site name. Unfortunately I think all of the certificate issuers charge big $$$ for that type of cert.. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 10:40:48 -0600, Brad Mettee bmet...@pchotshots.com wrote: And in this particular case, the certificate is for www.freebsd.org and freebsd.org, and the browser is complaining because it's being used on wiki.freebsd.org. No, the certificate being used on wiki.freebsd.org is NOT the one being used for (www\.)?freebsd.org. http://i.imgur.com/WHg9hI1.png If you're seeing the certificate from (www\.)?freebsd.org on the wiki site you either are a victim of a MITM attack or the specific regional FreeBSD webserver you're talking to has the wrong certificate configured. I'm not even sure if the FreeBSD website has multiple webservers based on geographical region. If you're seeing the (www\.)?freebsd.org certificate on wiki.freebsd.org site please report which IP you're connecting to so we can start comparing notes. If we can prove there are multiple webservers/IPs hosting wiki.freebsd.org we need to contact whoever manages the webserver next. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
Mark Felder wrote: On Fri, 01 Mar 2013 09:23:25 -0600, je...@seibercom.net wrote: I am not sure what he gets, but I receive this: That Gandi certificate is correct. I wonder if he's got some strange MITM going on. Heres the link I followed https://wiki.freebsd.org/Hierarchical_Resource_Limits My xp browser showed me the cirt and also exported it to a file which I am attaching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
On Fri, 01 Mar 2013 10:42:58 -0500, Fbsd8 wrote: Javad Kouhi wrote: Also no problem with FreeBSD 9.1 and chromium. But sometimes ago I have this problem with all https sites. because the government forged the wrong SSL certificate and my browser and my browser warned me about it. Do you have this problem with other websites? On Fri, Mar 1, 2013 at 6:02 PM, Zyumbilev, Peter pe...@aboutsupport.comwrote: On 01/03/2013 16:14, Ralf Mardorf wrote: [1] $ firefox -version Mozilla Firefox 19.0 No problem with SeaMonkey 2.16. Peter I use xp browser and it's certificate checking is enabled. You are sure using a more than 10 year old system should be considered safe enough to provide a reference? Maybe the browsers running from xorg desktops are NOT certificate aware so them not getting the error warning would be expected. They are. Or to be correct: The most prominent ones are, like Firefox, Chrome, and Opera. More lightweight browsers like dillo actually might not have this functionality. The fact remains, the ms/browsers do find the wiki.freebsd.org wedsite's certificate invalid because the certificate ip address does not match the ip address the public dns points to. As it has been mentioned, one certificate can be used for several IP addresses. Both www and wiki are located at 8.8.178.110 (returned by host command), so there might be a DNS issue or something comparable strange... I've checked with Opera 11.50 here, no problems. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: https://wiki.freebsd.org/ certificate error
(Please keep me CC'd as I'm not subscribed to -questions) (I'm CC'ing Simon Nielsen who maintains the FreeBSD webserver cluster, as this obviously needs to be looked at.) First, be aware that the following advice which was given: openssl s_client -showcerts -connect wiki.freebsd.org:443 ...is not a sufficient/correct test for this sort of thing. Let's talk about why, and how to do it right: OpenSSL since 0.9.8 has supported SNI (more on what that is in a moment), but only if the -servername flag is it used (with s_client specifically, I think). Otherwise, in this case, what gets returned is the webserver default SSL certificate. Expanding: Look very closely at the CN (CommonName) field in the below cert. I should note wiki.freebsd.org during both tests below resolved to 8.8.178.110: $ echo | openssl s_client -showcerts -connect wiki.freebsd.org:443 | grep CN= depth=1 /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.freebsd.org i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=www.freebsd.org issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA DONE This **is NOT** correct, and would result in a CN mismatch and throw an error in some browsers (keep reading), because wiki.freebsd.org != www.freebsd.org. What you need to do is this: openssl s_client -showcerts -connect wiki.freebsd.org:443 -servername wiki.freebsd.org Result: $ echo | openssl s_client -showcerts -connect wiki.freebsd.org:443 -servername wiki.freebsd.org | grep CN= depth=1 /C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=wiki.freebsd.org i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=wiki.freebsd.org issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA DONE Much better. The -servername flag is not documented anywhere in the FreeBSD OpenSSL man page directory (/usr/share/openssl), and don't ask me why. So what's SNI? http://en.wikipedia.org/wiki/Server_Name_Indication For deep details, look at RFC 6066, RFC 4366, and RFC 3546. Otherwise the simple version is: SNI allows, at the SSL client level, a way to include a FQDN/hostname in the initial handshake. This solves the chicken-and-egg problem involving name-based virtualhosts where the webserver can't determine what the HTTP Host: header is because it's encrypted. The same goes for any protocol (not just HTTP) that has similar mechanisms. NOW BACK TO THE ACTUAL PROBLEM REPORTED -- It appears that whoever maintains the FreeBSD webservers in the cluster **assumes** that the connecting client supports SNI. That assumption, as someone who ran a hosting organisation since 1993, is rude (some might say bad, but I would say rude). Web browsers/clients that don't support SNI are screwed -- they'll receive a certificate validation failure error. Internet Explorer 6.x through 8.x -- newer is not available on Windows XP -- do not support SNI (this is even mentioned in the above Wikipedia page). They return the error There is a problem with this website's security certificate due to lack of SNI support. Let me be clear: THIS IS NOT THE FAULT (OR AGE) OF THE OS. THIS HAS TO DO WITH THE WEB BROWSER. Why? Because Firefox 19.0 on Windows XP works just fine, as it supports SNI. So how do you solve this problem for legacy clients? Simple: By dedicating an IP address to the SSL-based virtualhost/webserver (i.e. one IP address per SSL-based virtual host), and do away with name-based vhosting for SSL. That's the only way. You can continue to use name-based vhosting for non-SSL, as pretty much all browsers (including IE 6.x) support the HTTP Host: header. To find out if SNI is used or not, do a packet capture and look at the SSL Client Hello packet in Wireshark. Go looking for the Extension: server_name section of the TLSv1 portion of the packet (Wireshark can decode this) and you'll find it. -- | Jeremy Chadwick j...@koitsu.org | | UNIX Systems Administratorhttp://jdc.koitsu.org/ | | Mountain View, CA, US| | Making life hard for others since 1977. PGP 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to