On Mon, May 18, 2015 at 3:59 PM, Eric Oosting <eric.oost...@gmail.com> wrote: > On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt < > nicholas.schm...@controlgroup.com> wrote: >> 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be >> trying to use the wildcard for amsl.com > > > I'm curious what is going on, but I wonder if it doesn't have something to > do with the openssl command you've entered below. > >> $ openssl s_client -showcerts -connect secretariat.nanog.org:443
Hi Eric, It does and it doesn't. The following openssl command gets the correct cert: openssl s_client -servername secretariat.nanog.org -showcerts -connect secretariat.nanog.org:443 The -servername parameter tells openssl to use the SSL Server Name Indication extension. This allows multiple HTTPS web sites to live on the same IP address much as the HTTP 1.1 Host header allowed multiple regular HTTP web sites to live on the same IP address. All "modern" web browsers support SNI. "Modern" doesn't go back terribly far. "Older" implementations of HTTPS will get the wrong certificate as shown. So, if you want to maximize compatibility, have a talk with your vendor about a dedicated IP address for your HTTPS server. Otherwise, make a note in your documentation that SSL clients must support the SNI extension to use the web site. Regards, Bill Herrin -- William Herrin ................ her...@dirtside.com b...@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>
