You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2013/07/18 02:26:49 UTC
[jira] [Updated] (TS-2031) Two SSL certs with overlapping CNs
stomps over each other without warnings
[ https://issues.apache.org/jira/browse/TS-2031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-2031:
------------------------------
Description: If you have two certs that has the same CNs, the last one wins in the SNI negotiation. This even takes precedence over "assigned" IPs (SNI trumps IP). We should at least warn on this. (was: I have a case, where two IPs have different certificate, but the second certificate is a wildcard. So, certificate 1) is more specificic (www.example) whereas the second cert is a *.example.com). My config is e.g.
{code}
dest_ip=1.2.3.4 ssl_cert_name=www.example.com.pem
dest_ip=2.3.4.5 ssl_cert_name=example.com.pem
{code}
The IP for www.example.com is 1.2.3.4, yet, it will present the wrong cert. A wild guess is that the lookup matches the second cert first, and it fails to take the IP into consideration?
)
Priority: Minor (was: Major)
Fix Version/s: sometime
Summary: Two SSL certs with overlapping CNs stomps over each other without warnings (was: SSL can pick the wrong certificate)
> Two SSL certs with overlapping CNs stomps over each other without warnings
> --------------------------------------------------------------------------
>
> Key: TS-2031
> URL: https://issues.apache.org/jira/browse/TS-2031
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Priority: Minor
> Fix For: sometime
>
>
> If you have two certs that has the same CNs, the last one wins in the SNI negotiation. This even takes precedence over "assigned" IPs (SNI trumps IP). We should at least warn on this.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira