Mailing List Archive

www.openssh.com certificate misconfiguration
Hello,

The site www.openssh.com is misconfigured and sometimes browsers refuse to
connect because of hostname mismatch - the certificate provided by the site
is issued for www.openbsd.org. Could you please fix it?

Many thanks!
--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
Looking myself, I don’t see a problem as www.openssh.com is perfectly available on http:// and is a listed SAN entry in the https certificate for www.openbsd.org (perhaps one of the load balancers might be problematic, and then the webmasters will need more/better information) -> rather blame the big tech enforcing httpS for all the wrong reasons that sounds nice.

> On 03 Sep 2021, at 16:28 , Dmitry Belyavskiy <dbelyavs@redhat.com> wrote:
>
> Hello,
>
> The site www.openssh.com is misconfigured and sometimes browsers refuse to
> connect because of hostname mismatch - the certificate provided by the site
> is issued for www.openbsd.org. Could you please fix it?
>
> Many thanks!
> --
> Dmitry Belyavskiy
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
Sorry, my fault. Everything is fine with openssh.com. I get the problem
with openssh.org, which first reports about the certificate and then, if I
click through, redirects me to openssh.com (with proper certificate).

On Fri, Sep 3, 2021 at 4:50 PM hvjunk <hvjunk@gmail.com> wrote:

> Looking myself, I don’t see a problem as www.openssh.com is perfectly
> available on http:// and is a listed SAN entry in the https certificate
> for www.openbsd.org (perhaps one of the load balancers might be
> problematic, and then the webmasters will need more/better information) ->
> rather blame the big tech enforcing httpS for all the wrong reasons that
> sounds nice.
>
> > On 03 Sep 2021, at 16:28 , Dmitry Belyavskiy <dbelyavs@redhat.com>
> wrote:
> >
> > Hello,
> >
> > The site www.openssh.com is misconfigured and sometimes browsers refuse
> to
> > connect because of hostname mismatch - the certificate provided by the
> site
> > is issued for www.openbsd.org. Could you please fix it?
> >
> > Many thanks!
> > --
> > Dmitry Belyavskiy
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev@mindrot.org
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>

--
Dmitry Belyavskiy
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
On 2021/09/03 16:28, Dmitry Belyavskiy wrote:
> Hello,
>
> The site www.openssh.com is misconfigured and sometimes browsers refuse to
> connect because of hostname mismatch - the certificate provided by the site
> is issued for www.openbsd.org. Could you please fix it?

https://www.openssh.com/ seems fine to me.

Are you confusing it with www.openssh.org (which is not the correct domain
for the project)??

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
On 03.09.21 16:28, Dmitry Belyavskiy wrote:
> The site www.openssh.com is misconfigured and sometimes browsers refuse to
> connect because of hostname mismatch - the certificate provided by the site
> is issued for www.openbsd.org. Could you please fix it?

There is nothing broken - the server cert lists "www.openssh.com" in the
Subject Alternate Names (SANs), along with a dozen others.

The DN contains "www.openbsd.org" as the CN, but a) there can be only
one *there*, b) the current standards suggest that browsers(!) should
ignore the DN in favor of the SANs altogether, and c) before that, they
were supposed to accept *both* for quite a while.

Regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
Re: www.openssh.com certificate misconfiguration [ In reply to ]
On Fri, Sep 3, 2021 at 8:18 AM Jochen Bern <Jochen.Bern@binect.de> wrote:

> On 03.09.21 16:28, Dmitry Belyavskiy wrote:
> > The site www.openssh.com is misconfigured and sometimes browsers refuse
> to
> > connect because of hostname mismatch - the certificate provided by the
> site
> > is issued for www.openbsd.org. Could you please fix it?
>
> There is nothing broken - the server cert lists "www.openssh.com" in the
> Subject Alternate Names (SANs), along with a dozen others.
>

There is nothing broken on *www.openssh.com*. There *is* something broken
on www.openssh.org which redirects to www.openssh.com.


Tom.III



>
> The DN contains "www.openbsd.org" as the CN, but a) there can be only
> one *there*, b) the current standards suggest that browsers(!) should
> ignore the DN in favor of the SANs altogether, and c) before that, they
> were supposed to accept *both* for quite a while.
>
> Regards,
> --
> Jochen Bern
> Systemingenieur
>
> Binect GmbH
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
> On Sep 3, 2021, at 9:51 AM, Thomas Dwyer III <tomiii@tomiii.com> wrote:
>
> On Fri, Sep 3, 2021 at 8:18 AM Jochen Bern <Jochen.Bern@binect.de> wrote:
>
>> On 03.09.21 16:28, Dmitry Belyavskiy wrote:
>>> The site www.openssh.com is misconfigured and sometimes browsers refuse
>> to
>>> connect because of hostname mismatch - the certificate provided by the
>> site
>>> is issued for www.openbsd.org. Could you please fix it?
>>
>> There is nothing broken - the server cert lists "www.openssh.com" in the
>> Subject Alternate Names (SANs), along with a dozen others.
>>
>
> There is nothing broken on *www.openssh.com*. There *is* something broken
> on www.openssh.org which redirects to www.openssh.com.


Agreed - while there are a bunch of SANs listed, www.openssh.org <http://www.openssh.org/> is not one of them, as least from what I see here:

X509v3 Subject Alternative Name:
DNS:ftp.openbsd.org, DNS:libressl.org, DNS:openbsd.org, DNS:openiked.org, DNS:openssh.com, DNS:rpki-client.org, DNS:www.libressl.org, DNS:www.openbsd.org, DNS:www.openiked.org, DNS:www.openrsync.org, DNS:www.openssh.com, DNS:www.rpki-client.org
--
Ron Frederick
ronf@timeheart.net



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
On 03/09/2021 17:51, Thomas Dwyer III wrote:
> There is nothing broken on*www.openssh.com*. There*is* something broken
> onwww.openssh.org which redirects towww.openssh.com.

www.openssh.org is a CNAME to www.openssh.com, so it's the same server. 
It's just missing the .org SAN.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: www.openssh.com certificate misconfiguration [ In reply to ]
On 2021/09/03 18:24, Brian Candler wrote:
> On 03/09/2021 17:51, Thomas Dwyer III wrote:
> > There is nothing broken on*www.openssh.com*. There*is* something broken
> > onwww.openssh.org which redirects towww.openssh.com.
>
> www.openssh.org is a CNAME to www.openssh.com, so it's the same server.?
> It's just missing the .org SAN.

I believe it's still the case that openssh.org is not under the control
of the openssh project and should not be used..

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev