On Fri, Sep 3, 2021 at 8:18 AM Jochen Bern <Jochen.Bern at binect.de> wrote:> On 03.09.21 16:28, Dmitry Belyavskiy wrote: > > The site www.openssh.com is misconfigured and sometimes browsers refuse > to > > connect because of hostname mismatch - the certificate provided by the > site > > is issued for www.openbsd.org. Could you please fix it? > > There is nothing broken - the server cert lists "www.openssh.com" in the > Subject Alternate Names (SANs), along with a dozen others. >There is nothing broken on *www.openssh.com*. There *is* something broken on www.openssh.org which redirects to www.openssh.com. Tom.III> > The DN contains "www.openbsd.org" as the CN, but a) there can be only > one *there*, b) the current standards suggest that browsers(!) should > ignore the DN in favor of the SANs altogether, and c) before that, they > were supposed to accept *both* for quite a while. > > Regards, > -- > Jochen Bern > Systemingenieur > > Binect GmbH > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
> On Sep 3, 2021, at 9:51 AM, Thomas Dwyer III <tomiii at tomiii.com> wrote: > > On Fri, Sep 3, 2021 at 8:18 AM Jochen Bern <Jochen.Bern at binect.de> wrote: > >> On 03.09.21 16:28, Dmitry Belyavskiy wrote: >>> The site www.openssh.com is misconfigured and sometimes browsers refuse >> to >>> connect because of hostname mismatch - the certificate provided by the >> site >>> is issued for www.openbsd.org. Could you please fix it? >> >> There is nothing broken - the server cert lists "www.openssh.com" in the >> Subject Alternate Names (SANs), along with a dozen others. >> > > There is nothing broken on *www.openssh.com*. There *is* something broken > on www.openssh.org which redirects to www.openssh.com.Agreed - while there are a bunch of SANs listed, www.openssh.org <http://www.openssh.org/> is not one of them, as least from what I see here: X509v3 Subject Alternative Name: DNS:ftp.openbsd.org, DNS:libressl.org, DNS:openbsd.org, DNS:openiked.org, DNS:openssh.com, DNS:rpki-client.org, DNS:www.libressl.org, DNS:www.openbsd.org, DNS:www.openiked.org, DNS:www.openrsync.org, DNS:www.openssh.com, DNS:www.rpki-client.org -- Ron Frederick ronf at timeheart.net
On 03/09/2021 17:51, Thomas Dwyer III wrote:> There is nothing broken on*www.openssh.com*. There*is* something broken > onwww.openssh.org which redirects towww.openssh.com.www.openssh.org is a CNAME to www.openssh.com, so it's the same server.? It's just missing the .org SAN.