Welcome! Log In Create A New Profile

Advanced

SCT TLS extensions with 2 certificates

Posted by Pier Carlo Chiodi 
Pier Carlo Chiodi
SCT TLS extensions with 2 certificates
January 09, 2017 02:10PM
I'm having an issue while trying to serve SCT TLS extensions in a 2
certificates scenario.

I'm using HA-Proxy version 1.7.1 with static OpenSSL 1.1.0c.

Certificates:

file www.domain.tld.pem
- Subject: CN=domain.tld
- Subject Alternative Name: DNS:domain.tld, DNS:www.domain.tld

file xxx.domain.tld.pem
- Subject: CN=xxx.domain.tld
- Subject Alternative Name: DNS:xxx.domain.tld

For each .pem file the respective .sctl file also exists
(www.domain.tld.pem.sctl, xxx.domain.tld.pem.sctl).

When connecting, I receive the SCT TLS extension only for the first
hostname listed in the "bind ... crt" config statement, regardless of
what it is.

So...

bind a.b.c.d:443 crt ./www.domain.tld.pem crt ./xxx.domain.tld.pem
$ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername
www.domain.tld
$ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername
xxx.domain.tld

.... gives me the TLS extension only for www.domain.tld.

If I flip the two "crt" files...

bind a.b.c.d:443 crt ./xxx.domain.tld.pem crt ./www.domain.tld.pem
$ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername
www.domain.tld
$ openssl s_client -serverinfo 18 -connect a.b.c.d:443 -servername
xxx.domain.tld

.... I get the SCT TLS extension for xxx.domain.tld but not for
www.domain.tld.

What am I doing wrong?

Thanks,

--
Pier Carlo Chiodi
Janusz Dziemidowicz
Re: SCT TLS extensions with 2 certificates
January 09, 2017 02:30PM
2017-01-09 14:01 GMT+01:00 Pier Carlo Chiodi <[email protected]>:
> I'm having an issue while trying to serve SCT TLS extensions in a 2
> certificates scenario.

This might be a problem with OpenSSL 1.1.0 and SNI. There is a very
similar issue reported for nginx CT module
https://github.com/grahamedgecombe/nginx-ct/issues/13
And OpenSSL bug report: https://github.com/openssl/openssl/issues/2180

--
Janusz Dziemidowicz
Sorry, only registered users may post in this forum.

Click here to login