Hello, The site www.openssh.com is misconfigured and sometimes browsers refuse to connect because of hostname mismatch - the certificate provided by the site is issued for www.openbsd.org. Could you please fix it? Many thanks! -- Dmitry Belyavskiy
Looking myself, I don?t see a problem as www.openssh.com is perfectly available on http:// and is a listed SAN entry in the https certificate for www.openbsd.org (perhaps one of the load balancers might be problematic, and then the webmasters will need more/better information) -> rather blame the big tech enforcing httpS for all the wrong reasons that sounds nice.> On 03 Sep 2021, at 16:28 , Dmitry Belyavskiy <dbelyavs at redhat.com> wrote: > > Hello, > > The site www.openssh.com is misconfigured and sometimes browsers refuse to > connect because of hostname mismatch - the certificate provided by the site > is issued for www.openbsd.org. Could you please fix it? > > Many thanks! > -- > Dmitry Belyavskiy > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On 2021/09/03 16:28, Dmitry Belyavskiy wrote:> Hello, > > The site www.openssh.com is misconfigured and sometimes browsers refuse to > connect because of hostname mismatch - the certificate provided by the site > is issued for www.openbsd.org. Could you please fix it?https://www.openssh.com/ seems fine to me. Are you confusing it with www.openssh.org (which is not the correct domain for the project)??
On 03.09.21 16:28, Dmitry Belyavskiy wrote:> The site www.openssh.com is misconfigured and sometimes browsers refuse to > connect because of hostname mismatch - the certificate provided by the site > is issued for www.openbsd.org. Could you please fix it?There is nothing broken - the server cert lists "www.openssh.com" in the Subject Alternate Names (SANs), along with a dozen others. The DN contains "www.openbsd.org" as the CN, but a) there can be only one *there*, b) the current standards suggest that browsers(!) should ignore the DN in favor of the SANs altogether, and c) before that, they were supposed to accept *both* for quite a while. Regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210903/a4563603/attachment.p7s>