¿Por qué no hay error de certificado al visitar google.net aunque presenta un certificado emitido para google.com?

68

La siguiente salida muestra que google.net está presentando un certificado que se ha emitido a www.google.com .

$ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3296 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: 74F80EC832F6806A3E10956F29A90BF423010BFBD8727BC171F9BFE39D3F89E9
    Session-ID-ctx: 
    Master-Key: 01F60D0A6DC7FF255D1C468EF06E5B7875A99E95C7FA8551F664A514B2EC5535EBB6E76E204743BF7D46F683B36E0988
    Key-Arg   : None
    Start Time: 1499657382
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

Copié y pegué el certificado en un archivo separado para analizarlo.

$ cat cert.txt
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

Luego veo el certificado con OpenSSL CLI.

$ openssl x509 -in cert.txt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:18:f0:44:a8:f3:18:92
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Validity
            Not Before: Jun 28 10:07:46 2017 GMT
            Not After : Sep 20 09:27:00 2017 GMT
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:91:df:f8:10:02:c2:99:53:36:dc:ca:38:bd:fd:
                    90:10:a7:ff:b4:83:92:40:e2:3a:37:95:42:ab:be:
                    9c:99:e3:ea:ae:e0:cd:45:56:fe:21:dd:3b:75:44:
                    f2:05:bb:59:f0:52:8b:b3:5f:11:45:7d:34:67:ae:
                    62:0d:c6:14:ae:25:8f:a9:99:00:c7:c8:ac:43:96:
                    c4:2d:87:54:6b:de:20:74:04:d5:f9:7e:95:ee:f0:
                    56:d6:a2:06:15:38:5b:6d:4a:24:3e:11:2b:a3:56:
                    34:5a:f7:d5:35:f9:49:47:40:4a:d9:39:7d:c8:7c:
                    dc:bd:1d:0a:7c:3a:cc:e3:10:25:bd:3d:c8:81:bc:
                    82:b6:0d:cd:c4:05:33:4b:04:c9:a0:4c:b6:a5:37:
                    f8:1f:51:17:5c:50:40:c6:f2:af:f2:6a:dc:62:42:
                    78:3f:cb:a8:c9:9a:c8:ff:64:e6:e0:f3:3f:eb:f9:
                    f3:b9:2b:c9:f3:dd:f7:60:16:65:28:1a:0e:7e:b3:
                    61:f9:00:a0:6f:4e:68:00:0e:3d:f4:a6:0d:cf:91:
                    77:14:7d:30:64:a3:93:44:6a:0c:0b:4c:c1:17:36:
                    69:fb:9e:7b:3b:6b:a1:e8:00:e9:04:ae:5b:51:35:
                    93:7b:7d:4d:0e:5e:c8:20:7d:16:27:f3:06:14:31:
                    8b:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Alternative Name: 
                DNS:www.google.com
            Authority Information Access: 
                CA Issuers - URI:http://pki.google.com/GIAG2.crt
                OCSP - URI:http://clients1.google.com/ocsp

            X509v3 Subject Key Identifier: 
                88:FF:28:68:F3:5D:98:C9:73:75:B7:82:8D:64:C8:ED:D3:0E:7B:2A
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F

            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.11129.2.5.1
                Policy: 2.23.140.1.2.2

            X509v3 CRL Distribution Points: 
                URI:http://pki.google.com/GIAG2.crl

    Signature Algorithm: sha256WithRSAEncryption
        34:40:58:25:d5:4c:19:d6:f2:46:78:23:a1:9a:ff:53:eb:69:
        b7:b9:b8:3a:e6:ec:b9:d6:21:88:3a:37:1b:e0:e0:e9:18:e8:
        1e:c8:58:5e:b8:01:65:2a:f3:42:3b:fd:c8:6f:2a:74:b6:49:
        d1:75:a8:ee:6f:98:9d:cb:6c:bd:e5:d2:84:5b:72:0d:95:ba:
        f7:6b:52:a1:6f:38:1b:c2:a4:d0:4d:d1:57:8a:d9:27:62:3c:
        11:2e:10:6a:fa:34:a2:4e:80:72:20:5a:c0:25:87:ff:c2:74:
        38:f6:54:94:25:f4:9e:4c:b7:e6:96:89:7c:69:e4:03:b7:cf:
        ba:7d:59:ea:92:bd:8d:4f:6a:ed:5f:e2:59:31:8f:c5:f2:ee:
        37:e8:6c:ff:35:66:fa:13:da:eb:14:c1:c7:0a:e2:11:51:de:
        ed:a6:3f:90:75:1c:45:3a:62:cb:f3:ae:b8:d0:75:93:d1:ef:
        ca:98:26:2a:88:82:7d:d0:88:50:b7:13:0b:1f:80:2f:83:21:
        c1:fe:b7:15:59:aa:34:d9:77:30:22:1a:24:c7:8b:62:4d:35:
        d1:86:b1:dc:22:72:1e:34:6e:dc:ac:5b:ae:f3:c4:30:f6:a2:
        f1:60:ee:54:83:8f:bd:93:80:57:46:ed:38:c3:39:36:9a:96:
        f8:48:25:20
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----

No se menciona google.net en ninguna parte del certificado.

Sin embargo, cuando visito enlace , se redirige a la perfección cliente a enlace .

$ curl -I https://google.net/
HTTP/1.1 302 Found
Location: https://www.google.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 10 Jul 2017 03:34:48 GMT
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=107=c9VFilfj0RLlIxvNfoJm1nETnE1IiUlg5TNL3GEs8oS_KWVWGEEcLIvQTSvtHjbwLSeqRVDpIYrqox24sE2ju7HbrSOqdu-3fNF7xzqHxV4I4YYeNiXjytTkYeKQ9inI; expires=Tue, 09-Jan-2018 03:34:48 GMT; path=/; domain=.google.net; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"

También veo el mismo comportamiento con el navegador.

Estaba esperando que Curl devolviera este error.

curl: (60) SSL certificate problem: Invalid certificate chain

Esperaba que Firefox devolviera este error.

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Esperaba que Chrome devolviera este error.

NET::ERR_CERT_COMMON_NAME_INVALID

Sin embargo, los tres clientes se conectan a enlace y obtienen redirigido a enlace . ¿Por qué no hay error incluso? aunque el nombre común en el campo Asunto del certificado es google.com pero el dominio al que me estoy conectando es google.net?

    
pregunta Lone Learner 10.07.2017 - 05:55
fuente

1 respuesta

96

Agujero SNI

Has caído en un "agujero SNI" . Google presentará un certificado diferente si no hay una "Indicación del nombre del servidor" en la parte del protocolo de enlace TLS del cliente. OpenSSL no configurará esto automáticamente. Tienes que hacerlo de forma manual. Pero todos los clientes web modernos, incluido CURL , deberían hacerlo automáticamente. De ahí la diferencia.

Usando SNI con OpenSSL

Predeterminado: Sin SNI:

$ echo '' | openssl s_client -connect google.net:443 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
                DNS:www.google.com

Agregar SNI manualmente a través del parámetro -servername :

$ echo '' | openssl s_client -connect google.net:443 -servername google.net 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
        Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
        Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.net
                DNS:*.google.net, DNS:google.net

Se devuelven certificados diferentes.

    
respondido por el StackzOfZtuff 10.07.2017 - 07:20
fuente

Lea otras preguntas en las etiquetas