[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [public-dns-discuss] DNS-over-TLS certificate domain name mismatch



The analysis on the website is not correct.

If you download the certificate using openssl and decode it, you can
the CN and SAN entries for it.

$ openssl s_client -connect 8.8.8.8:853 -servername dns.google -showcerts

CONNECTED(00000003)

depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign

verify return:1

depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3

verify return:1

depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN
= dns.google

verify return:1

---

Certificate chain

 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=dns.google

   i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3

-----BEGIN CERTIFICATE-----
MIIE2zCCA8OgAwIBAgIIXR7MPIf1lXEwDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEyMTkwODE3MDBaFw0x
OTAzMTMwODE3MDBaMGQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRMw
EQYDVQQDDApkbnMuZ29vZ2xlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA47broNTkwpSMcUePEk1w8Bo6gwAES+VbBo5lcgXXCj0rDD5BONDNJmeWpiCl
LyICPQUswQwYMj/0govqrdVlqUohBJqAKj5OAMg8W1aEVZUDy7PszEvoYZYRfl2G
Bfp+jOg+y21N7CzY3s0gPL5N2jLdo+f4mFaFqbEwKz4n5ocT+4ZIMuVxx3npW7Wx
H21pX4GJ8ILh1FTOBePdWvXzqnSfMKwd4NP+QAq6lGLlNxCW4SLQHec5P+KjjbgO
141+hBt8jYBeCV2zQwzTufXREKZnSU89Y92yzh2ZaqNWawd5keNh1cpSw1518j7B
ngid4kYDDxbLUpR5EWq93TZGFwIDAQABo4IBnzCCAZswEwYDVR0lBAwwCgYIKwYB
BQUHAwEwdgYDVR0RBG8wbYIKZG5zLmdvb2dsZYcQIAFIYEhgAAAAAAAAAAAAZIcQ
IAFIYEhgAAAAAAAAAABkZIcQIAFIYEhgAAAAAAAAAACIRIcQIAFIYEhgAAAAAAAA
AACIiIcECAgEBIcECAgICIILODg4OC5nb29nbGUwaAYIKwYBBQUHAQEEXDBaMC0G
CCsGAQUFBzAChiFodHRwOi8vcGtpLmdvb2cvZ3NyMi9HVFNHSUFHMy5jcnQwKQYI
KwYBBQUHMAGGHWh0dHA6Ly9vY3NwLnBraS5nb29nL0dUU0dJQUczMB0GA1UdDgQW
BBQIDuNjyWEDEgU/HYyfRss/2er70jAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FHfCuFCaZ3Z2sS3ChtCDoH6mfrpLMCEGA1UdIAQaMBgwDAYKKwYBBAHWeQIFAzAI
BgZngQwBAgIwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5wa2kuZ29vZy9H
VFNHSUFHMy5jcmwwDQYJKoZIhvcNAQELBQADggEBABdba5uilNliTTe2XDY9AL7j
tmVNjiSZ8N5Mh7KYEpUQ9SGw2+ipSASHNrfKTy7u6mRu54sVuLKACwYpZlkh2d93
HNTaMurDjbaEq2Tr95R4alZ4Ps9+2hOnY/xcB/VyXH5xA8uH7XlOVmlrLr8GsGp6
TnjKA+S/RrzQ9TGHPWm+Tufao0D3r9eSdMXcfRgXx9mz8sFquKddtDKyfRp2iH7w
SYxmAQ6+kqS9Rv6ltgk5X2LpJEywGp5Pp0gSrtK8fxj9dgTtPJnXL+zZKf0sN68b
DqGE0i9/+s78OgAJLAIHEepS0W3F14coucrN6cTCTb3HoMCo5X1sbTkzMUjA48w=
-----END CERTIFICATE-----

<snip rest of the output>

===============================================

Certificate Information

Common Name: dns.google

Subject Alternative Names: dns.google, IP
Address:2001:4860:4860:0:0:0:0:64 , IP
Address:2001:4860:4860:0:0:0:0:6464 , IP
Address:2001:4860:4860:0:0:0:0:8844 , IP
Address:2001:4860:4860:0:0:0:0:8888 , IP Address:8.8.4.4, IP
Address:8.8.8.8, 8888.google

Organization: Google LLC

Locality: Mountain View

State: California

Country: US

Valid From: December 19, 2018

Valid To: March 13, 2019

Issuer: Google Internet Authority G3, Google Trust Services

Serial Number: 6710025055179740529 (0x5d1ecc3c87f59571)

On Thu, Jan 10, 2019 at 12:46 AM 'Mike Borsetti' via
public-dns-discuss <public-dns-discuss AT googlegroups.com> wrote:
>
> The certificate served by dns.google for DNS-over-TLS is untrusted as it does not include "dns.google" in its common or alternative names (doh!).
>
> See https://www.ssllabs.com/ssltest/analyze.html?d=dns.google
>
> Instructions to use dns.google for DNS-over-TLS: https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html
>
> Common names    *.c.docs.google.com
> Alternative names       *.c.docs.google.com *.a1.googlevideo.com *.c.2mdn.net *.c.audiobooks.play.google.com *.c.bigcache.googleapis.com *.c.chat.google.com *.c.doc-0-0-sj.sj.googleusercontent.com *.c.drive.google.com *.c.googlesyndication.com *.c.googlevideo.com *.c.inbox.google.com *.c.lh3-da.googleusercontent.com *.c.lh3-da.photos0.sandbox.google.com *.c.lh3-db.googleusercontent.com *.c.lh3-db.photos1.sandbox.google.com *.c.lh3-dc.googleusercontent.com *.c.lh3-dc.photos2.sandbox.google.com *.c.lh3-dd.googleusercontent.com *.c.lh3-dd.photos3.sandbox.google.com *.c.lh3-de.googleusercontent.com *.c.lh3-de.photos4.sandbox.google.com *.c.lh3-df.googleusercontent.com *.c.lh3-df.photos5.sandbox.google.com *.c.lh3-dg.googleusercontent.com *.c.lh3-dg.photos6.sandbox.google.com *.c.lh3-dz.googleusercontent.com *.c.lh3-dz.photos-autopush.sandbox.google.com *.c.lh3.googleusercontent.com *.c.lh3.photos.google.com *.c.mail.google.com *.c.offline.maps.google.com *.c.pack.google.com *.c.play.google.com *.c.video.google.com *.c.youtube.com *.cache1.c.docs.google.com *.cache1.c.play.google.com *.cache1.c.video.google.com *.cache1.c.youtube.com *.cache2.c.docs.google.com *.cache2.c.play.google.com *.cache2.c.video.google.com *.cache2.c.youtube.com *.cache3.c.docs.google.com *.cache3.c.play.google.com *.cache3.c.video.google.com *.cache3.c.youtube.com *.cache4.c.docs.google.com *.cache4.c.play.google.com *.cache4.c.video.google.com *.cache4.c.youtube.com *.cache5.c.docs.google.com *.cache5.c.play.google.com *.cache5.c.video.google.com *.cache5.c.youtube.com *.cache6.c.docs.google.com *.cache6.c.play.google.com *.cache6.c.video.google.com *.cache6.c.youtube.com *.cache7.c.docs.google.com *.cache7.c.play.google.com *.cache7.c.video.google.com *.cache7.c.youtube.com *.cache8.c.docs.google.com *.cache8.c.play.google.com *.cache8.c.video.google.com *.cache8.c.youtube.com *.dai.googlevideo.com *.googlevideo.com *.googlezip.net *.gvt1.com *.offline-maps.gvt1.com *.snap.gvt1.com *.xn--ngstr-lra8j.com xn--ngstr-lra8j.com
>
> --
> You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
> To post to this group, send email to public-dns-discuss AT googlegroups.com.
> Visit this group at https://groups.google.com/group/public-dns-discuss.
> To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CAPTAgB77QPtz0KJB338jEC2Kj66cGCRPaVgEFr5%2BuQXJ7JYhVg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
To post to this group, send email to public-dns-discuss AT googlegroups.com.
Visit this group at https://groups.google.com/group/public-dns-discuss.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/CA%2B9_gVt4yvEwQZso4bAOh%2B%3DaFq9prpKiTa00%3De%2B5dv5B2Hd-HA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.