airnandez/tlsping

tlsping does not work with Certificate CN Name

Closed this issue · 4 comments

Hi
We have broker service running in Fault-Tolerant mode and in two data centers in total 4 physical servers but Broker Certificate SAN is same for all broker nodes and tls ping does not work with the following error - certificate CN Name and SAN same (emsmsgu01.xxxx.net) and host CNAME uatmw1-ssems01-emsmsgu01.xxxx.net.

tlsping: error connecting to 'uatmw1-ssems01-emsmsgu01.xxxx.net:7223': tls: failed to verify certificate: x509: certificate is valid for emsmsgu01.xxxx.net, not uatmw1-ssems01-emsmsgu01.xxxx.net

service listen on uatmw1-ssems01-emsmsgu01.jpmchase.net but certificate and SAN is emsmsgu01.xxxx.net
Connected to fault-tolerant standby server: ssl://uatmw1-ssems01-emsmsgu01.xxxx.net:7223
Type 'help' for commands help, 'exit' to exit:
ssl://uatmw1-ssems01-emsmsgu01.xxxx.net:7223>

varadack

Thanks for this report. What exact command line produces the result you observe?

Your server must have a server certificate with the correct CN in the subject (or in one of its alternative names) so that tlsping can validate it is talking to the right server. If you don't want that validation, you can specify the command line option -insecure.

For instance, the server inbox.google.com presents to its clients a certificate with subject

CN=mail.google.com

and alternative names

mail.google.com, inbox.google.com

tlsping works against that server, with any of its names:

$ tlsping inbox.google.com:443
tlsping: TLS connection to inbox.google.com:443 (172.217.20.197) (10 connections)
tlsping: min/avg/max/stddev = 200.16ms/200.26ms/200.39ms/64.53µs

$ tlsping mail.google.com:443
tlsping: TLS connection to mail.google.com:443 (142.250.75.229) (10 connections)
tlsping: min/avg/max/stddev = 195.15ms/195.53ms/195.68ms/156.98µs

Good Morning - Thanks for your quick response. I would like to get a real representation of latency with complete round-trip where the service is running in many hosts, say host1.domain,com, host2.domain.com,host3.domain.com, and host4.domain.com with certificate common name service.domain.com with subject alternate name also as service.domain.com.
In this scenario, when I run tlsping in secure mode,

tlsping: error connecting to 'host#.domain.com': tls: failed to verify certificate: x509: certificate is valid for service.domain.com , not host#.domain.com

But my service validates against the service common name or SAN but not the host name where service is running.

If you could make code to validate against common name or SAN against the service I try to get latency, it will be nice.

but your example testing works and don't know why in my case it's checking CN Name and hostname and fails.

I am confused. If your server's certificate has in its subject CN=host.domain.com or in its DNS alternative names service.domain.com you should be able to do any of these commands and they should work:

tlsping host.domain.com:443

or

tlsping service.domain.com:443

as demonstrated in the example above with both inbox.google.com and mail.google.com. If your certificate does not have that information, there is nothing any client (including tlsping) can do to verify it is talking to the right server.

You may want to check the contents your server certificate, for instance using openssl or certigo.

I will assume this issue is now understood.