2

I'm looping through a list of domains to see if a) there is 443 listener and b) collect the ssl cert expiry, signature algorithm, and common name. All of the domains that have a 443 listener report the correct ssl cert (matching up to what Chrome reports), however, there is one domain that does not report correctly - myproair.com, which reports a certificate for parkinsonsed.com - any ideas?

  # ssl cert lookup
  begin 
    timeout(1) do
      tcp_client = TCPSocket.new("#{instance["domain"]}", 443)
      ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
      ssl_client.connect
      cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
      ssl_client.sysclose
      tcp_client.close
      #http://ruby-doc.org/stdlib-2.0/libdoc/openssl/rdoc/OpenSSL/X509/Certificate.html
      date = Date.parse((cert.not_after).to_s)
      row.push("#{date.strftime('%F')} #{cert.signature_algorithm} #{cert.subject.to_a.select{|name, _, _| name == 'CN' }.first[1]}".downcase.ljust(57))
    end
  rescue SocketError
    row.push("down".ljust(57))
  rescue Errno::ECONNREFUSED
    row.push("connection refused".ljust(57))
  rescue Errno::ECONNRESET
    row.push("connection reset".ljust(57))
  rescue Timeout::Error
    row.push("no 443 listener".ljust(57))
  rescue Exception => ex
    row.push("error: #{ex.class}".ljust(57))
  end

Update: Here are the versions I'm working with:

$ ruby --version
ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14]

$ openssl version
OpenSSL 0.9.8zc 15 Oct 2014

I verified the SNI extension is being sent in the ClientHello using OpenSSL's s_client with -connect, -tls1 and -servername options.

jww
  • 97,681
  • 90
  • 411
  • 885
Seth Reeser
  • 195
  • 2
  • 2
  • 13
  • OpenSSL 0.9.8 only supports TLS 1.0 (and not 1.1 or 1.2). You should build OpenSSL yourself, and install it in `/usr/local` or `/usr/local/ssl` and use it whenever possible. For example, you would run `/usr/local/ssl/bin/openssl s_client ...` from the command line. See [Compilation and Installation](http://wiki.openssl.org/index.php/Compilation_and_Installation) on the OpenSSL wiki. I wrote the Mac OS X instructions, so I know they work. – jww May 14 '15 at 17:19
  • Related: [Ruby OpenSSL::SSL::SSLContext SNI servername_cb Not Working](http://stackoverflow.com/q/30238304). – jww May 14 '15 at 19:26

2 Answers2

1

however, there is one domain that does not report correctly - myproair.com, which reports a certificate for parkinsonsed.com - any ideas?

It looks like shared hosting combined with SSL is the culprit. Apparently, parkinsonsed.com is the default site for the server.

You should use SNI to overcome the limitations. SNI is available in TLS 1.0 and above. Also see Server Name Indication support in Net::HTTP?

myproair.com, with SSLv3 and no SNI:

$ openssl s_client -ssl3 -connect myproair.com:443 | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name: 
    DNS:parkinsonsed.com, DNS:www.parkinsonsed.com, DNS:test.parkinsonsed.com, DNS:dev.parkinsonsed.com

myproair.com, with TLS 1.0 and SNI:

$ openssl s_client -tls1 -connect myproair.com:443 -servername myproair.com | openssl x509 -text -noout | grep -A 1 -i name
...
X509v3 Subject Alternative Name: 
    DNS:myproair.com, DNS:www.myproair.com, DNS:dev.myproair.com, DNS:test.myproair.com
Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885
  • Thanks for the insight, @jww. I appended OpenSSL::SSL::SSLSocket#hostname="#{instance["domain"]}".new(tcp_client) and I'm getting a NoMethodError. I have OpenSSL 0.9.8zc 15 Oct 2014 and ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14] – Seth Reeser May 14 '15 at 16:01
  • I verified that I get the proper SNI response from your command example with TLS 1.0 and SNI. Now I'm just trying to figure out how to set the proper options in the above Ruby example. – Seth Reeser May 14 '15 at 17:32
  • 1
    Thank you for your feedback, I've closed and opened a new question here http://stackoverflow.com/questions/30244745/ruby-opensslsslsslcontext-sni-servername-cb-not-working – Seth Reeser May 14 '15 at 18:34
0

If (Apache) web server hosts multiple sites and one of those sites is trying to use faulty SSL certificate (ie. there is a problem with either the DNS or certificate it self) web server will default to first site hosted on it in alphabetical order. This site usually starts with letter A or number.

SamTzu
  • 167
  • 1
  • 7