On Sun, 2012-02-19 at 09:04 -0500, Eric Covener wrote:
> You should be able to confirm in a packet capture or by logging
> %{SSL_TLS_SNI}e.
(after the first ";" you see the SNI host)
02/19/12 17:57:35> 129.187.131.227:443 188.174.212.187; lcg-lrz-monitoring.grid.lrz.de /C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer SUCCESS 3 "/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton Mitterer" "/C=DE/O=GermanGrid/CN=GridKa-CA" 3EC4; "GET /icinga/classic/images/interface/menu_less.gif HTTP/1.1" 200 200; 506 410 447; "lcg-lrz-monitoring.grid.lrz.de" "https://lcg-lrz-monitoring.grid.lrz.de/icinga/classic/menu.html"; "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 17:59:05> 129.187.131.227:443 188.174.212.187; - - NONE - "-" "-" -; "GET /cgi-bin/icinga/tac.cgi?tac_header HTTP/1.1" 403 403; 1174 3580 211; "lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
02/19/12 17:59:05> 129.187.131.227:443 188.174.212.187; - - NONE - "-" "-" -; "GET /cgi-bin/icinga/tac.cgi HTTP/1.1" 403 403; 1158 3580 161; "lcg-lrz-monitoring.grid.lrz.de" "-" "Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2 Iceweasel/10.0.2"
so it actually seems as if the browser would "forget" sending the SNI
host name,... and moreover, the client auth, too? I thought that this
would then really lead to a SSL error and not to a 403.
So what do you suggest,... reporting this against Firefox and Chrome?
Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|