TLS error Hostname/IP doesn't match certificate's altnames - nodejs

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

nodejs

Home

Discussions

+ new post

About this group

Join this group

Message from discussion TLS error Hostname/IP doesn't match certificate's altnames

Shawn Parrish

View profile

More options Nov 8 2012, 12:29 pm

From: Shawn Parrish <sparr...@nodeping.com>

Date: Thu, 8 Nov 2012 10:28:27 -0700

Local: Thurs, Nov 8 2012 12:28 pm

Subject: Re: [nodejs] TLS error Hostname/IP doesn't match certificate's altnames

Print | View thread | Show original | Report this message | Find messages by this author

We thought that might be the case but the checks work fine in 0.4.12,
are seen as valid by all major browsers as well as curl, like you
said. Some Thawte certs which I believe are valid are also failing
with this error message.

I'm pretty sure the error is incorrect as the hostname matches.

Any other ideas?

Thanks,
Shawn

On Thu, Nov 8, 2012 at 9:47 AM, Ben Noordhuis <i...@bnoordhuis.nl> wrote:
> On Thu, Nov 8, 2012 at 5:38 PM, Shawn Parrish <sparr...@nodeping.com> wrote:
>> We recently upgraded from 0.4.12 to 0.8.14 (about freaking time, huh?)
>> and our SSL certificate checking is having some troubles with some
>> CAs.
>> We're receiving the following error when we test for 'authorized'.

>> "Hostname/IP doesn't match certificate's altnames"

>> Here's the pertinent code to reproduce.

>> var tls = require('tls');
>> var s = tls.connect(443, 'graph.facebook.com',function(err, response){
>> if(s.authorized){
>> console.log('authorized');
>> }else{
>> console.log('cert auth error: ', s.authorizationError);
>> }
>> });

>> We're seeing this with some digicert and some thawte certs so far.
>> Most don't throw the error.

>> Anything change in the CA handling or checkServerIdentity function of
>> 0.8.14 that would make these connections show as unauthorized now?

>> Thanks,
>> Shawn

> I guess it's to be expected. Here is what `openssl s_client
> graph.facebook.com:443` prints:

> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> High Assurance EV Root CA
> verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
> 0 s:/C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
> 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
> i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV Root CA
> 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High
> Assurance EV Root CA
> i:/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref.
> (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure
> Server Certification Authority

> AFAIK, all of DigiCert's signing authority has been revoked so it's no
> wonder the certificate doesn't validate.

> It *is* rather peculiar that the curl on my system accepts it just
> fine, though. Maybe my system's certificate store needs updating...

> --
> Job Board: http://jobs.nodejs.org/
> Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
> You received this message because you are subscribed to the Google
> Groups "nodejs" group.
> To post to this group, send email to nodejs@googlegroups.com
> To unsubscribe from this group, send email to
> nodejs+unsubscribe@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/nodejs?hl=en?hl=en

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options