8000 SNI-required host value not set when server value is specified as IP Address and DNS Name *is* set properly · Issue #148 · atc0005/check-cert · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

SNI-required host value not set when server value is specified as IP Address and DNS Name *is* set properly #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atc0005 opened this issue Jan 31, 2023 · 1 comment
Closed

SNI-required host value not set when server value is specified as IP Address and DNS Name *is* set properly #148

atc0005 opened this issue Jan 31, 2023 · 1 comment
Assignees
@atc0005
Labels
app/lscert bug Something isn't working output/extended Long Service Output (aka, "extended" or "detailed") output/logging plugin/check_cert sni
Milestone
v0.10.0

Comments

@atc0005
Copy link
Owner
atc0005 commented Jan 31, 2023

Overview

To illustrate, this is the result when specifying the server value as an IP Address and the DNS Name as a valid host value associated with the certificate:

$ go build ./cmd/lscert && ./lscert.exe --server 142.251.45.228 --dns-name www.google.com


======================
CERTIFICATES | SUMMARY
======================

- OK: 1 certs retrieved for service running on 142.251.45.228 at port 443
- CRITICAL: Hostname validation using value "www.google.com" failed for first cert in chain
- OK: SANs List validation ignored: 0 SANs entries specified, 0 SANs entries on root cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]
- OK: Expiration validation successful: root cert "invalid2.invalid" expires next with 2526d 13h remaining (until 2030-01-01 00:00:00 +0000 UTC) [EXPIRED: 0, EXPIRING: 0, OK: 1]


============================
CERTIFICATES | CHAIN DETAILS
============================

Certificate 1 of 1 (root):
        Name: CN=invalid2.invalid,OU=No SNI provided\; please fix your client.
        SANs entries: []
        Issuer: CN=invalid2.invalid,OU=No SNI provided\; please fix your client.
        Serial: 90:76:89:18:E9:33:93:A0
        Issued On: 2015-01-01 00:00:00 +0000 UTC
        Expiration: 2030-01-01 00:00:00 +0000 UTC
        Status: [OK] 2526d 13h remaining

This was fixed for the check_cert plugin with atc0005/check-cert-old#460, but not for lscert. At the time the perceived scope of the fix was just properly noting which host value was used to retrieve the certificate, not also fixing the lack of a host value in the cert retrieval attempt.

The lscert tool requires the same fix (since this portion of the logic is not yet shared).

References
@atc0005 atc0005 added this to the Next Release milestone Jan 31, 2023
@atc0005 atc0005 self-assigned this Jan 31, 2023
@atc0005
Copy link
Owner Author
atc0005 commented Jan 31, 2023

After applying the same fix as noted in atc0005/check-cert-old#459:

$ go build ./cmd/lscert && ./lscert.exe --server 142.251.45.228 --dns-name www.google.com


======================
CERTIFICATES | SUMMARY
======================

- OK: 3 certs retrieved for service running on 142.251.45.228 at port 443 using host value "www.google.com"
- OK: Hostname validation using value "www.google.com" successful for leaf certificate
- OK: SANs List validation ignored: 0 SANs entries specified, 1 SANs entries on leaf cert [0 EXPECTED, 0 MISSING, 0 UNEXPECTED]
- OK: Expiration validation successful: leaf cert "www.google.com" expires next with 61d 21h remaining (until 2023-04-03 08:19:11 +0000 UTC) [EXPIRED: 0, EXPIRING: 0, OK: 3]


============================
CERTIFICATES | CHAIN DETAILS
============================

Certificate 1 of 3 (leaf):
        Name: CN=www.google.com
        SANs entries: [www.google.com]
        Issuer: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
8D22

        Serial: 22:9A:E0:39:88:E2:14:FE:0A:53:14:13:A2:A1:03:BE
        Issued On: 2023-01-09 08:19:12 +0000 UTC
        Expiration: 2023-04-03 08:19:11 +0000 UTC
        Status: [OK] 61d 21h remaining

Certificate 2 of 3 (intermediate):
        Name: CN=GTS CA 1C3,O=Google Trust Services LLC,C=US
        SANs entries: []
        Issuer: CN=GTS Root R1,O=Google Trust Services LLC,C=US
        Serial: 02:03:BC:53:59:6B:34:C7:18:F5:01:50:66
        Issued On: 2020-08-13 00:00:42 +0000 UTC
        Expiration: 2027-09-30 00:00:42 +0000 UTC
        Status: [OK] 1702d 13h remaining

Certificate 3 of 3 (intermediate):
        Name: CN=GTS Root R1,O=Google Trust Services LLC,C=US
        SANs entries: []
        Issuer: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
        Serial: 77:BD:0D:6C:DB:36:F9:1A:EA:21:0F:C4:F0:58:D3:0D
        Issued On: 2020-06-19 00:00:42 +0000 UTC
        Expiration: 2028-01-28 00:00:42 +0000 UTC
        Status: [OK] 1822d 13h remaining

@atc0005 atc0005 added output/logging output/extended Long Service Output (aka, "extended" or "detailed") labels Jan 31, 2023
@atc0005 atc0005 closed this as completed Jan 31, 2023
@atc0005 atc0005 mentioned this issue Jan 31, 2023
Open
@atc0005 atc0005 transferred this issue from another repository Feb 22, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atc0005 atc0005

Labels
app/lscert bug Something isn't working output/extended Long Service Output (aka, "extended" or "detailed") output/logging plugin/check_cert sni
Projects
None yet
Milestone
v0.10.0
Development

No branches or pull requests
1 participant
@atc0005
0