3

When I try to access to this website I've different result depending on the tool I use: CURL and Ruby's Net::HTTP module both returns a SSLError wrong signature type. Although I haven't exhaustively test every mean to access it, I'm wondering what causes this difference. My guess is a different support of TLS, as if some tool was more tolerant when facing old TLS versions.

Some additionnal informations:

  • Local machine : Linux debian 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 GNU/Linux
  • Local machine OpenSSL version : OpenSSL 1.1.1d 10 Sep 2019
  • Server's encryption: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 256bit keys, TLS 1.
  • Server's most likely SSL/TLS implementation (using tls_prober)
                                 OpenSSL 1.0.1e-48.el6_8.1 RHEL 6:  95.93%
                             OpenSSL 1.0.1e-42.el6_7.4 RHEL 6.7.z:  95.93%
                          OpenSSL 1.0.1e-30.el6_6.12 RHEL 6.6.AUS:  95.93%
                              OpenSSL 1.0.1h default source build:  95.83%
                          OpenSSL 1.0.1e-16.el6_5.16 RHEL 6.5.AUS:  92.88%
                               OpenSSL 1.0.1 default source build:  92.54%
                                   OpenSSL 1.0.1k Debian 8 Apache:  91.67%
                              OpenSSL 1.0.1g default source build:  91.67%
                               OpenSSL 1.0.2 default source build:  90.51%
                              OpenSSL 1.0.1a default source build:  87.50%

Could anyone give me a high level explanation of why some tools gets a 200OK, while others returns a SSLError 'wrong signature type' ?

Sumak
  • 927
  • 7
  • 21

1 Answers1

8

The difference between your common web browser and CURL (and some others) is the usage of SNI (Server Name Indication). To summarize, SNI is an information the client will send in the request to tell the server which domain he is reaching, it allow you to configure multiple website on the same IP address, but also different certificates.

From SSLLab test on your website, the certificate for your domain (given when using SNI) is good, but the default one (when SNI is not provided) is invalid. This is why you have an error only on specific software.

So you need to fix the default certificate, by using a valid one for the default website (if this server is hosting multiple website), or the same (if you have only this website on this server).

redheness
  • 346
  • 1
  • 8
  • 2
    Good stuff. But where to do it? Is there a config file or config option on menus that people need to use to do this? (I know each software might be different, how about what to do for CURL, please? ) Thanks and good luck to all. – shellter Jul 25 '20 at 16:51
  • 1
    For the usage of SNI whith CURL, the question is already answered on another [SO topic](https://stackoverflow.com/questions/12941703/use-curl-with-sni-server-name-indication). For the server side (fixing the default certificate), it depend of the software you are using the the web server, on apache2 side, watch for virtualhosts configuration. – redheness Jul 25 '20 at 17:06
  • Thanks for your answer, I wasn't expecting such a great introduction to SNI. If I get it right (what I doubt), if there's multiple websites running on this IP, the admin would have to prioritize one website by setting its certificate as the default one, in case the client doesn't support SNI ? I guess I'll have a better understanding once I'll find how to capture & compare TLS handshake with curl, wget and Ruby. Thanks again ! – Sumak Jul 25 '20 at 18:18