[ntp:hackers] Why are we going down this road? Question on listen-on, query-on, -I

Dave Hart davehart at gmail.com
Mon Jun 8 03:39:34 UTC 2009


On Mon, Jun 8, 2009 at 3:08 AM, Danny Mayer<mayer at ntp.org> wrote:
> Dave Hart wrote:
>> On Sun, Jun 7, 2009 at 5:26 PM, Danny Mayer<mayer at ntp.org> wrote:
>>> No, it's the host name that is tied to the certificate not the IP
>>> address. I see this all the time at my work.
>>
>> Unique IP addresses are required for each https instance for the
>> simple reason that the certificate verification happens before the
>> client has a chance to indicate a web server name via a Host: header.
>> The server must present the certificate associated with the hostname
>> the https client is contacting, and the only information available to
>> the server to select a certificate is the IP address.
>>
>
> No, that's not correct. I regularly run into the issue at the office
> when I go to an http server either via a FQDN or just the name without
> the domain. In the latter case I get a warning of an invalid
> certificate. The IP address is identical in each case and it's the host
> name in the header that makes the difference and causes warnings which
> has to be cleared before I can continue.

Nothing you state contradicts what I described.  You are mistaken in
assuming that you should be able to contact a https server on the
wrong hostname but correct IP and not see a warning.  The hostname
used by the web browser must match (one of) the hostnames in the
certificate offered by the server.  The problem is not to do with the
Host: header in the https request, as things haven't progressed that
far yet.  The warning is coming from the web browser noticing you
asked for secured connection with hostname A but the certificate has
no mention of A, during SSL setup before any HTTP interaction.

Cheers,
Dave Hart


More information about the hackers mailing list