[Cyberduck-trac] [Cyberduck] #7831: SNI support in the non-App Store version

Cyberduck trac at trac.cyberduck.io
Mon Mar 3 18:50:25 UTC 2014 

#7831: SNI support in the non-App Store version
---------------------------+-------------------------
 Reporter:  sergei         |         Owner:  dkocher
     Type:  defect         |        Status:  reopened
 Priority:  normal         |     Milestone:  4.4.4
Component:  webdav         |       Version:  4.4.3
 Severity:  normal         |    Resolution:
 Keywords:                 |  Architecture:  Intel
 Platform:  Mac OS X 10.9  |
---------------------------+-------------------------
Changes (by sergei):

 * status:  closed => reopened
 * resolution:  worksforme =>


Old description:

> This issue is related to discussion in google group
> [https://groups.google.com/forum/#!topic/cyberduck/to2dymHbxOo] thread.
>
> It appears that cyberduck does pass server name to the server when it
> establishes SSL connection.
>
> To reproduce an issue go open attached bookmark file.
>
> The following openssl command line demonstrates that sever is properly
> configured:
>

> {{{
>     openssl s_client -servername cyberduck.coobserver.com -connect
> cyberduck.coobserver.com:443
> }}}
>

> Certificate CN name is cyberduck.coobserver.com
>
> If server name option is omitted then:
>

> {{{
>     openssl s_client -connect cyberduck.coobserver.com:443
> }}}
>

> then server sends certificate with CN=dav.lianajoykids.com
>
> Cyberduck warns that certificate does not match server name. This means
> that cyberduck failed to send server name in SSL handshake.
>
> The demo site is empty and configured to resolve just this issue.
>
> Please send me email to sergeig at me dot com for password to access the
> website.

New description:

 Update:

 The issue can be reproduced only on Mac OS X. My OS X Machine is on
 current patched Maverics 10.9.1. The terminal reports:
 java version "1.6.0_65"
 Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609)
 Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)

 Windows release of cyberduck is not affected. I was able to verify it on 2
 separate windows boxes.

 The certificate is issued by private CA. However, testing on windows did
 not result in any warnings that certificate is not trusted (even on the
 machine that does not trust private root CA).

 Original Description:

 This issue is related to discussion in google group
 [https://groups.google.com/forum/#!topic/cyberduck/to2dymHbxOo] thread.

 It appears that cyberduck does pass server name to the server when it
 establishes SSL connection.

 To reproduce an issue go open attached bookmark file.

 The following openssl command line demonstrates that sever is properly
 configured:


 {{{
     openssl s_client -servername cyberduck.coobserver.com -connect
 cyberduck.coobserver.com:443
 }}}


 Certificate CN name is cyberduck.coobserver.com

 If server name option is omitted then:


 {{{
     openssl s_client -connect cyberduck.coobserver.com:443
 }}}


 then server sends certificate with CN=dav.lianajoykids.com

 Cyberduck warns that certificate does not match server name. This means
 that cyberduck failed to send server name in SSL handshake.

 The demo site is empty and configured to resolve just this issue.

 Please send me email to sergeig at me dot com for password to access the
 website.

--

-- 
Ticket URL: <https://trac.cyberduck.io/ticket/7831#comment:5>
Cyberduck <http://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows

More information about the Cyberduck-trac mailing list