How does this kind of SSL work?

Question

"Issued to" and "Domain Name" doesn't match but still valid and accepted by all major browsers without any warning.

While previewing my blog post in Blogger, I noticed that my blog was previewed via SSL. When I checked the certificate information, I noticed that "Issued To" and "Domain Name" didn't match. Here's a screenshot.

Blogger SSL Certificate

Domain name was techronak.blogspot.com but SSL certificate was issued to *.googleusercontent.com and the best thing was my browser (Chromium) didn't issue any kind of SSL warning.

How does this kind of SSL Certificates work?

What does the 'Subject Alternative Names' section look like on the details tab? — USD Matt, Mar 21 '14 at 18:26

score 29 · Accepted Answer · answered Mar 21 '14 at 18:28

29

Look closely at the certificate:

X509v3 Subject Alternative Name: 
 DNS:*.googleusercontent.com, DNS:*.blogspot.com, DNS:*.bp.blogspot.com,
 DNS:*.commondatastorage.googleapis.com, DNS:*.doubleclickusercontent.com,
 DNS:*.ggpht.com, DNS:*.googledrive.com, DNS:*.googlesyndication.com,
 DNS:*.storage.googleapis.com, DNS:blogspot.com, DNS:bp.blogspot.com,
 DNS:commondatastorage.googleapis.com, DNS:doubleclickusercontent.com,
 DNS:ggpht.com, DNS:googledrive.com, DNS:googleusercontent.com,
 DNS:static.panoramio.com.storage.googleapis.com, DNS:storage.googleapis.com

answered Mar 21 '14 at 18:28

David Schwartz

31,449
2
55
84

Do you know why only the first item from the list is shown in the browser? – Burhan Ali Jun 10 '14 at 11:32
1

@BurhanAli Popular browsers don't show the first SAN in this situation, they show Common Name (CN) field from the certificate. This is a bug on their part, a legacy behavior that is now outdated. Lets hope they start to pick up a correct SAN in the near future. – kubanczyk Apr 02 '15 at 20:54

How does this kind of SSL work?

1 Answers1