0

The DNS situation is this:

  • example.com. origin A record to 10.9.8.7
  • www.example.com. is a CNAME to fred.example.com
  • fred.example.com A record 10.9.8.7
  • mail.example.com A 10.9.8.7

the certificate has

  • subject: example.com
  • subject alternate names;
    • DNS Name=mail.example.com
    • DNS Name=example.com
    • DNS Name=www.example.com

The client must have some sort of extra site-wide policy which I can't inspect or even ask about, where they make their people's web browsers reject sites they consider insecure. In our case, the people end up being able to access https://www.example.com just fine, but not https://example.com, even though that's the subject of the certificate!

I cannot reproduce this problem anywhere, because there is no real issue. So I am asking here if you know the latest hyper-vigilant site security gizmos which big corporations are deploying that then come to these incorrect suspicions?

The only thing I can think of changing on my side to accommodate this problem is to straighten out my DNS, simplifying it. Perhaps I should have said:

  • example.com. origin A record to 192.0.2.1
  • www.example.com. is a CNAME to example.com

or perhaps I should use no CNAME at all and just make separate A records to the same IP address for all those synonyms?

Would that have prevented the paranoid site security thing from blacklisting one of those addresses, perhaps?

PS: I have run a full SSLlabs.com test, and we get an "A" rating. The only minor warnings are

  • DNS CAA No
  • IE 11 / Win Phone 8.1 R Server sent fatal alert: handshake_failure
  • Safari 6 / iOS 6.0.1 Server sent fatal alert: handshake_failure
  • Safari 7 / iOS 7.1 R Server sent fatal alert: handshake_failure
  • Safari 7 / OS X 10.9 R Server sent fatal alert: handshake_failure
  • Safari 8 / iOS 8.4 R Server sent fatal alert: handshake_failure
  • Safari 8 / OS X 10.10 R Server sent fatal alert: handshake_failure

The few exceptional browser handshake issues are certainly not the issue, now DNC CAA might be interesting. But it would affect both example.com and www.example.com

Gunther Schadow
  • 129
  • 8
  • No decent browser still looks at the subject of certificates, that's been outdated for quite a while. You've obfuscated information that might be useful with valid public IPs which is a bad idea since there are specific ranges for this (and you could at least have taken private non routable IPs). Given what information we have, it should work, but I'm guessing the issue is not so much on their end as it is on yours. – Ginnungagap Mar 12 '21 at 17:24
  • @Ginnungagap, 123.45.67.89 is a valid address in South Korea and myplace.com is some domain name. None of this impacts on my question. Your "guess" that "the issue on my end" is useless because I asked exactly how I might cause this. Obviously the issue is on their end, but it's not something I can fight. I'm trying to find out from someone who has seen these extra blocker things what triggers them. And finally, "no decent browser still looks at the subject of the certificate" is just crazy. Obviously that is what they are looking at! – Gunther Schadow Mar 12 '21 at 20:14
  • I need to track down the appropriate CABF entry but that was actually recently mentioned again, it's been deprecated for a while and it's been entirely disabled now, the domain has to be in the SAN for it to be checked. – Ginnungagap Mar 12 '21 at 20:21
  • The name is in the SAN, 3 names are in there. www. version is the last. I wonder if that's the issue? Some hyper-vigilant browser addons will only accept one SAN? – Gunther Schadow Mar 12 '21 at 20:30
  • 1
    Any browser add-on that ignores all but a single SAN would break any domain served by cloudflare, I doubt that's it. – Ginnungagap Mar 12 '21 at 20:31
  • 1
    It is utterly ridiculous for the other end to expect _you_ to find and fix the problem on _their_ end. There is no possible way you could do so. This is on them to fix. – Michael Hampton Mar 12 '21 at 22:40
  • @MichaelHampton unfortunately when the client is a big corporation, I'd almost have to sue them in order to get them moving, but try that if you want to do business with them. :( – Gunther Schadow Mar 13 '21 at 02:06

0 Answers0