[Swan] Intermittent download.libreswan.org certificate hostname mismatch
Daniel McCarney
daniel at binaryparadox.net
Sat Apr 22 17:35:09 UTC 2017
Hi there,
I've noticed that approximately 50% of requests to
`https://download.libreswan.org` that do not send a TLS Server Name
Indication (SNI) value will fail with a hostname mismatch error. My
extremely robust & scientific process (lol) involved 20 requests with
`openssl s_client` with the results here:
https://gist.github.com/cpu/d4a825bee985ae9abf9bd00a0dc9a4ab
The requests that succeed are given a server certificate[1] with the
serial number "03:be:3e:68:1a:be:14:82:56:92:d8:ed:66:d8:bf:b0:19:24"
and the SAN entries:
DNS:download.libreswan.org
DNS:fi.libreswan.org
DNS:ip.libreswan.org
DNS:ip4.libreswan.org
DNS:ip6.libreswan.org
DNS:nl.libreswan.net
The requests that fail are given a server certificate[2] with the serial
number "03:63:29:78:be:8e:da:16:a2:c2:93:8e:f9:9b:48:0b:31:95" and the
SAN entries:
DNS:bugs.libreswan.org
DNS:libreswan.ca
DNS:libreswan.com
DNS:libreswan.fi
DNS:libreswan.net
DNS:libreswan.org
DNS:lists.libreswan.org
DNS:stats.libreswan.org
DNS:supo.libreswan.fi
DNS:supo.libreswan.org
DNS:www.libreswan.ca
DNS:www.libreswan.com
DNS:www.libreswan.fi
DNS:www.libreswan.net
DNS:www.libreswan.org
Notably this does *not* include DNS:download.libreswan.org which is what
causes requests that get this certificate to fail with a hostname
mismatch.
If you specifically send "download.libreswan.org" as the SNI value then
10/10 requests will succeed because they get the certificate with serial
ending in :24.
Is there perhaps a load balancer that needs to have its configuration
updated?
Is there a better place to report this bug?
Thanks!
- Daniel / cpu
[1]: https://crt.sh/?id=114815603
[2]: https://crt.sh/?id=114502221
More information about the Swan
mailing list