次の出力は、google.net
がwww.google.com
に発行された証明書を提示していることを示しています。
$ openssl s_client -connect google.net:443 < /dev/null > out.txt 2>&1; cat out.txt
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3296 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: 74F80EC832F6806A3E10956F29A90BF423010BFBD8727BC171F9BFE39D3F89E9
Session-ID-ctx:
Master-Key: 01F60D0A6DC7FF255D1C468EF06E5B7875A99E95C7FA8551F664A514B2EC5535EBB6E76E204743BF7D46F683B36E0988
Key-Arg : None
Start Time: 1499657382
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
証明書を別のファイルにコピーして貼り付けて分析しました。
$ cat cert.txt
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
次に、OpenSSL CLIで証明書を表示します。
$ openssl x509 -in cert.txt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:18:f0:44:a8:f3:18:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Jun 28 10:07:46 2017 GMT
Not After : Sep 20 09:27:00 2017 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:91:df:f8:10:02:c2:99:53:36:dc:ca:38:bd:fd:
90:10:a7:ff:b4:83:92:40:e2:3a:37:95:42:ab:be:
9c:99:e3:ea:ae:e0:cd:45:56:fe:21:dd:3b:75:44:
f2:05:bb:59:f0:52:8b:b3:5f:11:45:7d:34:67:ae:
62:0d:c6:14:ae:25:8f:a9:99:00:c7:c8:ac:43:96:
c4:2d:87:54:6b:de:20:74:04:d5:f9:7e:95:ee:f0:
56:d6:a2:06:15:38:5b:6d:4a:24:3e:11:2b:a3:56:
34:5a:f7:d5:35:f9:49:47:40:4a:d9:39:7d:c8:7c:
dc:bd:1d:0a:7c:3a:cc:e3:10:25:bd:3d:c8:81:bc:
82:b6:0d:cd:c4:05:33:4b:04:c9:a0:4c:b6:a5:37:
f8:1f:51:17:5c:50:40:c6:f2:af:f2:6a:dc:62:42:
78:3f:cb:a8:c9:9a:c8:ff:64:e6:e0:f3:3f:eb:f9:
f3:b9:2b:c9:f3:dd:f7:60:16:65:28:1a:0e:7e:b3:
61:f9:00:a0:6f:4e:68:00:0e:3d:f4:a6:0d:cf:91:
77:14:7d:30:64:a3:93:44:6a:0c:0b:4c:c1:17:36:
69:fb:9e:7b:3b:6b:a1:e8:00:e9:04:ae:5b:51:35:
93:7b:7d:4d:0e:5e:c8:20:7d:16:27:f3:06:14:31:
8b:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:www.google.com
Authority Information Access:
CA Issuers - URI:http://pki.google.com/GIAG2.crt
OCSP - URI:http://clients1.google.com/ocsp
X509v3 Subject Key Identifier:
88:FF:28:68:F3:5D:98:C9:73:75:B7:82:8D:64:C8:ED:D3:0E:7B:2A
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:4A:DD:06:16:1B:BC:F6:68:B5:76:F5:81:B6:BB:62:1A:BA:5A:81:2F
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.11129.2.5.1
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
URI:http://pki.google.com/GIAG2.crl
Signature Algorithm: sha256WithRSAEncryption
34:40:58:25:d5:4c:19:d6:f2:46:78:23:a1:9a:ff:53:eb:69:
b7:b9:b8:3a:e6:ec:b9:d6:21:88:3a:37:1b:e0:e0:e9:18:e8:
1e:c8:58:5e:b8:01:65:2a:f3:42:3b:fd:c8:6f:2a:74:b6:49:
d1:75:a8:ee:6f:98:9d:cb:6c:bd:e5:d2:84:5b:72:0d:95:ba:
f7:6b:52:a1:6f:38:1b:c2:a4:d0:4d:d1:57:8a:d9:27:62:3c:
11:2e:10:6a:fa:34:a2:4e:80:72:20:5a:c0:25:87:ff:c2:74:
38:f6:54:94:25:f4:9e:4c:b7:e6:96:89:7c:69:e4:03:b7:cf:
ba:7d:59:ea:92:bd:8d:4f:6a:ed:5f:e2:59:31:8f:c5:f2:ee:
37:e8:6c:ff:35:66:fa:13:da:eb:14:c1:c7:0a:e2:11:51:de:
ed:a6:3f:90:75:1c:45:3a:62:cb:f3:ae:b8:d0:75:93:d1:ef:
ca:98:26:2a:88:82:7d:d0:88:50:b7:13:0b:1f:80:2f:83:21:
c1:fe:b7:15:59:aa:34:d9:77:30:22:1a:24:c7:8b:62:4d:35:
d1:86:b1:dc:22:72:1e:34:6e:dc:ac:5b:ae:f3:c4:30:f6:a2:
f1:60:ee:54:83:8f:bd:93:80:57:46:ed:38:c3:39:36:9a:96:
f8:48:25:20
-----BEGIN CERTIFICATE-----
MIIEgDCCA2igAwIBAgIIARjwRKjzGJIwDQYJKoZIhvcNAQELBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTcwNjI4MTAwNzQ2WhcNMTcwOTIwMDkyNzAw
WjBoMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3
Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR3/gQ
AsKZUzbcyji9/ZAQp/+0g5JA4jo3lUKrvpyZ4+qu4M1FVv4h3Tt1RPIFu1nwUouz
XxFFfTRnrmINxhSuJY+pmQDHyKxDlsQth1Rr3iB0BNX5fpXu8FbWogYVOFttSiQ+
ESujVjRa99U1+UlHQErZOX3IfNy9HQp8OszjECW9PciBvIK2Dc3EBTNLBMmgTLal
N/gfURdcUEDG8q/yatxiQng/y6jJmsj/ZObg8z/r+fO5K8nz3fdgFmUoGg5+s2H5
AKBvTmgADj30pg3PkXcUfTBko5NEagwLTMEXNmn7nns7a6HoAOkErltRNZN7fU0O
XsggfRYn8wYUMYvVAgMBAAGjggFLMIIBRzAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwGQYDVR0RBBIwEIIOd3d3Lmdvb2dsZS5jb20waAYIKwYBBQUHAQEE
XDBaMCsGCCsGAQUFBzAChh9odHRwOi8vcGtpLmdvb2dsZS5jb20vR0lBRzIuY3J0
MCsGCCsGAQUFBzABhh9odHRwOi8vY2xpZW50czEuZ29vZ2xlLmNvbS9vY3NwMB0G
A1UdDgQWBBSI/yho812YyXN1t4KNZMjt0w57KjAMBgNVHRMBAf8EAjAAMB8GA1Ud
IwQYMBaAFErdBhYbvPZotXb1gba7Yhq6WoEvMCEGA1UdIAQaMBgwDAYKKwYBBAHW
eQIFATAIBgZngQwBAgIwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29n
bGUuY29tL0dJQUcyLmNybDANBgkqhkiG9w0BAQsFAAOCAQEANEBYJdVMGdbyRngj
oZr/U+tpt7m4OubsudYhiDo3G+Dg6RjoHshYXrgBZSrzQjv9yG8qdLZJ0XWo7m+Y
nctsveXShFtyDZW692tSoW84G8Kk0E3RV4rZJ2I8ES4Qavo0ok6AciBawCWH/8J0
OPZUlCX0nky35paJfGnkA7fPun1Z6pK9jU9q7V/iWTGPxfLuN+hs/zVm+hPa6xTB
xwriEVHe7aY/kHUcRTpiy/OuuNB1k9HvypgmKoiCfdCIULcTCx+AL4Mhwf63FVmq
NNl3MCIaJMeLYk010Yax3CJyHjRu3KxbrvPEMPai8WDuVIOPvZOAV0btOMM5NpqW
+EglIA==
-----END CERTIFICATE-----
証明書のどこにもgoogle.net
についての記載はありません。
ただし、 https://google.net/ にアクセスすると、クライアントはシームレスに https://www.google.com/ にリダイレクトされます。
$ curl -I https://google.net/
HTTP/1.1 302 Found
Location: https://www.google.com/
Cache-Control: private
Content-Type: text/html; charset=UTF-8
P3P: CP="This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info."
Date: Mon, 10 Jul 2017 03:34:48 GMT
Server: gws
Content-Length: 220
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Set-Cookie: NID=107=c9VFilfj0RLlIxvNfoJm1nETnE1IiUlg5TNL3GEs8oS_KWVWGEEcLIvQTSvtHjbwLSeqRVDpIYrqox24sE2ju7HbrSOqdu-3fNF7xzqHxV4I4YYeNiXjytTkYeKQ9inI; expires=Tue, 09-Jan-2018 03:34:48 GMT; path=/; domain=.google.net; HttpOnly
Alt-Svc: quic=":443"; ma=2592000; v="39,38,37,36,35"
ブラウザでも同じ動作が見られます。
Curlがこのエラーを返すことを期待していました。
curl: (60) SSL certificate problem: Invalid certificate chain
Firefoxがこのエラーを返すことを期待していました。
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Chromeがこのエラーを返すことを期待していました。
NET::ERR_CERT_COMMON_NAME_INVALID
ただし、3つのクライアントはすべて https://google.net/ に接続し、 https://www.google.com/ にリダイレクトされます。証明書の[件名]フィールドの一般名がgoogle.comであるにもかかわらず、接続しているドメインがgoogle.netであるにもかかわらずエラーが発生しないのはなぜですか?
「SNIホール」に陥りました。クライアントのTLSハンドシェイク部分に "Server Name Indication" がない場合、Googleは別の証明書を提示します。 OpenSSLはこれを自動的に設定しません。手動で行う必要があります。しかし、最近のすべてのWebクライアント CURLを含む は、これを自動的に行う必要があります。したがって、違い。
$ echo '' | openssl s_client -connect google.net:443 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com
DNS:www.google.com
-servername
パラメータを使用して手動でSNIを追加します。$ echo '' | openssl s_client -connect google.net:443 -servername google.net 2>/dev/null | openssl x509 -noout -text | grep -Ei 'DNS:|CN='
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.net
DNS:*.google.net, DNS:google.net
別の証明書が返されます。