ssl_domain_invalid logging in to https://idp.news.com.au/ from http://www.heraldsun.com.au/

book

Article ID: 167719

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

1. Access http://www.heraldsun.com.au/
2. Click the Login button at the upper left corner of the page
3. Try logging in with a dummy email account and password and you should see :

SSL Certificate Hostname Mismatch (ssl_domain_invalid)

Your request contacted a host which presented a certificate with a Common Name that did not match the domain requested.
This is typically caused by a Web Site presenting an incorrect or invalid certificate, but could be because of a configuration error..

Findings :
- Browser sends the server_name extension "idp.news.com.au" to SG.
- SG forwards the server_name extension "idp.news.com.au" to server.
- Server returns the certificate for idp.news.com.au to SG.
- Browser refreshes the request to https://idp.news.com.au/idp/AuthnEngine. Note that the client-side connection is persistent but the server-side connection is not.
- SG makes a new server-side connection to the server but it not send the server_name extension.
- Server returns the certificate for contextspace.com to SG.
- SG returns SSL Certificate Hostname Mismatch (ssl_domain_invalid) to browser.


SSLProxy_Debug.txt :
0343.010 --- End Log [29/Nov/2013:10:08:14 -0000] ---
0335.612 HTTP SW 290731B90 for D2C1CB90 (5C0015C): Cloned version:0x301 client_version:0x301 session_id_len:32 extra_connection:0 session_cache_hit:0
0330.128 HTTP CW D2C1CB90 (1000006): No Keyring selected or found for proxy client certificate. Sending empty client certificate.
0329.686 HTTP CW D2C1CB90 (1000006): Disabling client side renegotiation
0329.686 HTTP CW D2C1CB90 (1000006): Found forged cert with common_name:idp.news.com.au in cert cache

cfssl_Debug.txt :
0335.883 HTTP SW 290731B90 for D2C1CB90 (5C0015C): Cert SAN hostname#1: contextspace.com
0335.883 HTTP SW 290731B90 for D2C1CB90 (5C0015C): Cert SAN hostname#0: *.contextspace.com
0335.754 HTTP SW 290731B90 for D2C1CB90 (5C0015C): trusted chain already present in session 28FE08A60
0335.754 HTTP SW 290731B90 for D2C1CB90 (5C0015C): trusted chain already present in session 28FE08A60
0335.753 HTTP SW 290731B90 for D2C1CB90 (5C0015C): trusted chain already present in session 28FE08A60
0335.753 HTTP SW 290731B90 for D2C1CB90 (5C0015C): depth = 3, error = unable to get certificate CRL
0335.753 HTTP SW 290731B90 for D2C1CB90 (5C0015C): depth = 2, error = unable to get certificate CRL
0335.753 HTTP SW 290731B90 for D2C1CB90 (5C0015C): depth = 1, error = unable to get certificate CRL
0335.753 HTTP SW 290731B90 for D2C1CB90 (5C0015C): depth = 0, error = unable to get certificate CRL
0335.736 HTTP SW 290731B90 for D2C1CB90 (5C0015C): TLS renegotiation extension in server hello
0335.612 HTTP SW 290731B90 for D2C1CB90 (5C0015C): Enter: ssl3_connect
0330.258 HTTP SW 290731B90 for D2C1CB90 (580015C): local revocation check: yes, Certificate is not revoked
0330.258 HTTP SW 290731B90 for D2C1CB90 (580015C): OCSP not configured
0330.258 cfssl.ocsp.proprietor (400194): OCSP Proprietor waiting in CK_receive
0330.258 cfssl.ocsp.proprietor (400194): Recvd OCSP_GET_NUM_RESPONDERS
0330.128 HTTP CW D2C1CB90 (1000006): Enter: ssl3_connect
0329.687 HTTP CW D2C1CB90 (1000006): Enter: ssl3_accept
0329.686 HTTP CW D2C1CB90 (1000006): cert cache lookup succeeded
0329.686 HTTP CW D2C1CB90 (1000006): Cert SAN hostname#0: idp.news.com.au

events.log :
2013-11-29 10:07:41-00:00UTC  "PCAP: Packet capture started"  0 7FFF0002:7D   http.cpp:343
2013-11-29 10:07:41-00:00UTC  "Administrator logout, user 'admin', from 10.10.9.101"  0 250042:96   authconsole.cpp:335
2013-11-29 10:08:06-00:00UTC  "SSL domain validation error: Domain name mismatch:Name in certificate: *.contextspace.com,  name in URL: idp.news.com.au"  0 300000:1   te_transaction.cpp:1579
2013-11-29 10:08:10-00:00UTC  "Administrator login, user 'admin', from 10.10.9.101, read-write access, request='/PCAP/stop'"  0 250046:96   authconsole.cpp:474
2013-11-29 10:08:10-00:00UTC  "PCAP: Packet capture stopped"  0 7FFF0002:7D   http.cpp:368


 

Resolution

This is currently being investigated as B#195978

 

Workaround
<Proxy>
        url.domain=idp.news.com.au http.client.persistence(preserve)