ssl certificate for www.cactuscode.org does not match common name

Issue #2137 wontfix
Roland Haas created an issue

Frank's checker at:

https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi

reports a wrong common name in the certificate for www.cactuscode.org which is confirmed by

https://www.sslshopper.com/ssl-checker.html?host=www.cactuscode.org#hostname=www.cactuscode.org

this makes connecting to www.cactuscode.org using ssl impossible (or at least one needs to grant a security exception).

Only minor b/c right now www.cactuscode.org seems to not use ssl anyway (though it should do so at least for the login to drupal).

Keyword: www.cactuscode.org

Comments (7)

  1. Steven R. Brandt
    • removed comment

    Actually, the problem is worse than that. Cactuscode.org has become einsteintoolkit.org. Let me look into this.

  2. Roland Haas reporter
    • removed comment

    It works for me as well. Yet the monitor script referenced above (​https://www.cct.lsu.edu/~knarf/cgi-bin/monitor.cgi) complains. ssl checker (https://www.sslshopper.com/ssl-checker.html#hostname=https://www.cactuscode.org/) notes that a SHA1 signature is used which is somewhat unsafe these days.

    The wrong common name might be reported by gnutls-cli (but not openssl) https://outflux.net/blog/archives/2010/03/10/openssl-client-does-not-check-commonname/ which also seems to indicate that openssl is doing the "right thing".

    Note that the version of gnutls-cli on my Linux box (3.5.18) does not produce the warning.

    So it seems we should

    1. close this ticket as "worksforme"
    2. check the cgi script and update the gnutls-cli version it uses
  3. Roland Haas reporter
    • edited description
    • changed status to wontfix

    The SSL certs are ok, Frank's checking script uses a version of gnutls that complains about things that are explicitly allowed and wants things that are explicitly not liked.

  4. Log in to comment