[ntp:hackers] Why are we going down this road? Question on listen-on, query-on, -I

Olaf Fraczyk olaf at navi.pl
Mon Jun 8 07:25:55 UTC 2009


On Sun, 2009-06-07 at 23:54 -0400, Danny Mayer wrote:
> I said the exact opposite. I expect and do get a certificate error if
> the host header does not exactly match the certificate. When the URL is
> https://foo.ntp.org/ then the Host in the header is foo.ntp.org and that
> what needs to match the certificate. If I enter instead https://foo/
> then I will get a certificate error as the Host header does *not* match
> the certificate. It has nothing to do with the IP address which in this
> specific case will be identical.

Hi,

1. The certificate is bound to a host name (to keep it simple here - it
can be any domain name or a wildcard one etc.).
2. Just as Dave has written, the certificate is presented for a given
IP. It is impossible to present it basing on the name.
3. You need 1 IP for 1 SSL site to be able to make it work together.
4. What you see can be a side effect of misconfiguration, or you use
wrong hostname.

Best regards,

Olaf
-- 
Olaf Frączyk <olaf at navi.pl>
NAVI
http://www.navi.pl
http://www.ntp.navi.pl



More information about the hackers mailing list