-----Original Message----- From: Ralph Mitchell [mailto:ralphmitchell at gmail.com] Sent: Tuesday, June 15, 2010 4:03 PM To: hobbit at hswn.dk Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
I don't recall anyone else mentioning this as a problem. A fairly easy workaround would be to roll your own check. For example, this:
curl -v https://mail.google.comreturns:
* Server certificate: * subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=mail.google.com * start date: 2009-12-18 00:00:00 GMT * expire date: 2011-12-18 23:59:59 GMT * common name: mail.google.com (matched) * issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA * SSL certificate verify ok. > GET / HTTP/1.1among other things. It wouldn't be too hard to grep out "common name" from that and go from there. If there's anything hinky about the cert, curl will return an error. If you use the "-k" option, it'll ignore the error and give you the page along with info about what was wrong.
Ralph Mitchell
Yeah, I was resigned to setting up a new test in the short-term, at least.
Still, I think merits being a configurable option for the built-in SSL check. I think a lot more people would be interested in the matching of the common name than, say, encryption bit level, since most user clients will throw a warning if there's a mismatch. =/
Regards,
JC