Marsh Ray wrote: > > On 09/22/2010 01:31 PM, ArkanoiD wrote: > > BTW, slightly offtopic here: whenever i connect to gmail.com, > > i get certificate for mail.google.com. > > But i've yet to see any web browser to complain! Where is the magic? > > Seems totally relevant to me. > > Going to https://gmail.com/ I get some kind of redirection to > https://www.google.com/accounts/ServiceLogin...
When I check https://gmail.com/ with my own command line tool (which doesn't send TLS extension SNI) I get back a cert with only a CN-ID for mail.google.com and no DNS-IDs along with a certificat mismatch error from my tool. When I trace a FF connect to https://gmail.com/ I see that FF sends TLS extension SNI and the server returns a server certificate with a CN-ID for gmail.com (again no DNS-IDs). > > ma...@lamb:/tmp$ openssl s_client -connect gmail.com:443 > ... > subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=mail.google.com > issuer=/C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA Maybe the openssl s_client (at least the one that you are using or in the fashion that you are using it) does not send TLS extension SNI ? I'm confused about the IE8 vs. IE9 behaviour that you report-- could it be that for your IE8 is running on a platform that does not implement TLS extensions (XP,2003) or has the TLSv1.x protocols disabled for some reason? -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
