cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: curl, google and ssl

From: Jochen Roderburg <Roderburg_at_uni-koeln.de>
Date: Wed, 07 Sep 2011 20:40:56 +0200

Zitat von Dan Fandrich <dan_at_coneharvesters.com>:

> On Wed, Sep 07, 2011 at 04:27:44PM +0200, Christoph Ostarek wrote:
>> I've a question about https://google.de and curl+ssl.
>> # curl https://google.de
>> loads without any problems or certificate warnings, but
>> # openssl s_client -connect google.de:443
>> has the following CommonName in its subject:
>> "www.google.com".
>> Why doesn't curl show up any warning about this?
>> ("www.google.com" is not "google.de")
>
> Probably because curl uses the new SNI feature of TLS to specify the correct
> host name (google.de), so the Google server will return a different
> certificate for this virtually-hosted server:

> * Server certificate:
> * subject: C=US; ST=California; L=Mountain View; O=Google
> Inc; CN=*.google.de
> * start date: 2011-08-12 04:02:16 GMT
> * expire date: 2012-08-12 04:12:16 GMT
> * subjectAltName: google.de matched
> * issuer: C=US; O=Google Inc; CN=Google Internet Authority
> * SSL certificate verify ok.
>
> Note that the certificate has a the different CN in this case.
>
>>>> Dan

Precisely, and you can see the same result with
openssl s_client -servername google.de -connect google.de:443

Regards,
J.Roderburg

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2011-09-07