RE: [hobbit] SSL cert testing to match common name with host/URL?

["Cleaver, Japheth" <jcleaver (at) soe.sony.com>]

> -----Original Message-----
> From: Ralph Mitchell [mailto:ralphmitchell (at) gmail.com]
> Sent: Tuesday, June 15, 2010 4:03 PM
> To: hobbit (at) hswn.dk
> Subject: Re: [hobbit] SSL cert testing to match common name with host/URL?
> 
> I don't recall anyone else mentioning this as a problem.    A fairly easy workaround would be to
> roll your own check.  For example, this:
> 
>      curl -v https://mail.google.com
> 
> returns:
> 
>      * Server certificate:
>      *        subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=mail.google.com
>      *        start date: 2009-12-18 00:00:00 GMT
>      *        expire date: 2011-12-18 23:59:59 GMT
>      *        common name: mail.google.com (matched)
>      *        issuer: C=ZA; O=Thawte Consulting (Pty) Ltd.; CN=Thawte SGC CA
>      *        SSL certificate verify ok.
>      > GET / HTTP/1.1
> 
> among other things.  It wouldn't be too hard to grep out "common name" from that and go from there.
> If there's anything hinky about the cert, curl will return an error.  If you use the "-k" option,
> it'll ignore the error and give you the page along with info about what was wrong.
> 
> Ralph Mitchell


Yeah, I was resigned to setting up a new test in the short-term, at least.

Still, I think merits being a configurable option for the built-in SSL check. I think a lot more people would be interested in the matching of the common name than, say, encryption bit level, since most user clients will throw a warning if there's a mismatch. =/


Regards,

JC