主页 / server / 问题 / 1162610
Accepted
Sean W.
Asked: 2024-07-16 23:18:59 +0800 CST

为什么证书 CN 与 MX 记录中提供的主机名不匹配?

  • 772

我是 的作者checkdmarc,这是一款用于检查 DMARC 和其他电子邮件安全标准的开源 CLI 工具。其中一项检查涉及测试域MX记录中列出的邮件服务器是否支持 TLS。我发现在许多情况下,域的 MX 记录中列出的主机名与该服务器使用的证书的备用名称值不匹配CN。这会导致与这些主机的 TLS 连接因主机名不匹配而失败。

例如,MX 记录为gmail.com

gmail.com.              1550    IN      MX      20 alt2.gmail-smtp-in.l.google.com.
gmail.com.              1550    IN      MX      40 alt4.gmail-smtp-in.l.google.com.
gmail.com.              1550    IN      MX      10 alt1.gmail-smtp-in.l.google.com.
gmail.com.              1550    IN      MX      5 gmail-smtp-in.l.google.com.
gmail.com.              1550    IN      MX      30 alt3.gmail-smtp-in.l.google.com.

然而,快速检查证书gmail-smtp-in.l.google.com显示,该主机提供的证书的 CN 是mx.google.com。我该如何解释这一点?邮件客户端是否只是忽略了 MX 服务器上的主机名匹配?这似乎很疯狂!

openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services, CN = WR2
verify return:1
depth=0 CN = mx.google.com
verify return:1
---
Certificate chain
 0 s:CN = mx.google.com
   i:C = US, O = Google Trust Services, CN = WR2
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 24 07:37:53 2024 GMT; NotAfter: Sep 16 07:37:52 2024 GMT
 1 s:C = US, O = Google Trust Services, CN = WR2
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 13 09:00:00 2023 GMT; NotAfter: Feb 20 14:00:00 2029 GMT
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGwjCCBaqgAwIBAgIQZZLFVIncLgcKOAT21sXTxzANBgkqhkiG9w0BAQsFADA7
MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
CgYDVQQDEwNXUjIwHhcNMjQwNjI0MDczNzUzWhcNMjQwOTE2MDczNzUyWjAYMRYw
FAYDVQQDEw1teC5nb29nbGUuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
EPY8iG+t2yuh+G2C7yURtlapDVtP5VYg0EifYWjDqqP0wUDTG82xOglMV1f5KGEy
B2L1MQVnrBxS7jgN72+tS6OCBK4wggSqMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUE
DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRiyEisYHpKSLmB
lAKrUL9Fess8uDAfBgNVHSMEGDAWgBTeGx7teRXUPjckwyG77DQ5bUKyMDBYBggr
BgEFBQcBAQRMMEowIQYIKwYBBQUHMAGGFWh0dHA6Ly9vLnBraS5nb29nL3dyMjAl
BggrBgEFBQcwAoYZaHR0cDovL2kucGtpLmdvb2cvd3IyLmNydDCCAoYGA1UdEQSC
An0wggJ5gg1teC5nb29nbGUuY29tgg9zbXRwLmdvb2dsZS5jb22CEmFzcG14Lmwu
Z29vZ2xlLmNvbYIXYWx0MS5hc3BteC5sLmdvb2dsZS5jb22CF2FsdDIuYXNwbXgu
bC5nb29nbGUuY29tghdhbHQzLmFzcG14LmwuZ29vZ2xlLmNvbYIXYWx0NC5hc3Bt
eC5sLmdvb2dsZS5jb22CGmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9hbHQx
LmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9hbHQyLmdtYWlsLXNtdHAtaW4u
bC5nb29nbGUuY29tgh9hbHQzLmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tgh9h
bHQ0LmdtYWlsLXNtdHAtaW4ubC5nb29nbGUuY29tghhnbXItc210cC1pbi5sLmdv
b2dsZS5jb22CHWFsdDEuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgh1hbHQyLmdt
ci1zbXRwLWluLmwuZ29vZ2xlLmNvbYIdYWx0My5nbXItc210cC1pbi5sLmdvb2ds
ZS5jb22CHWFsdDQuZ21yLXNtdHAtaW4ubC5nb29nbGUuY29tgg1teDEuc210cC5n
b29ngg1teDIuc210cC5nb29ngg1teDMuc210cC5nb29ngg1teDQuc210cC5nb29n
ghVhc3BteDIuZ29vZ2xlbWFpbC5jb22CFWFzcG14My5nb29nbGVtYWlsLmNvbYIV
YXNwbXg0Lmdvb2dsZW1haWwuY29tghVhc3BteDUuZ29vZ2xlbWFpbC5jb22CEWdt
ci1teC5nb29nbGUuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMDYGA1UdHwQvMC0w
K6ApoCeGJWh0dHA6Ly9jLnBraS5nb29nL3dyMi85VVZiTjB3NUU2WS5jcmwwggEC
BgorBgEEAdZ5AgQCBIHzBIHwAO4AdQDuzdBk1dsazsVct520zROiModGfLzs3sNR
SFlGcR+1mwAAAZBJZQCtAAAEAwBGMEQCIEpVY7zgwrSNfBuWwgIeM0tTPxSQ6Swm
9x8o0wspJLNUAiA+16PpwOPDzPyvS1hBoRfFLD+11s2cKbxY3OXAma3wWQB1ANq2
v2s/tbYin5vCu1xr6HCRcWy7UYSFNL2kPTBI1/urAAABkEllANgAAAQDAEYwRAIg
bUppm6ugUYNlSakwgDF9/iV4yLTfd1gL53XsQOtEfewCIFNMdgwPXxIozNmwgEvT
TDbyFlh6OHe6mTmivcTzICK3MA0GCSqGSIb3DQEBCwUAA4IBAQBMvON+VaXWy4yH
ruDpCBvW2EO9sdVvefqPJHgda2yGqyRq1BQmnhLaIQhaJpEsdhrl/spLykOkZo8o
3R4W1dq24zXwNq0Qv1ThuH+WA8wr8tiZwd4yIDSqahsAtJm2K31logFAuDX771LB
MmtOZbkiDk9Ist2pmGRTP0Z7VpJy12aG/hUoeqcN1FmrWCNKG7ycMIVrairGrI4A
8wa5dUpDwezKaP3V3U8o9btRcuRD8doKFTPhzas+d1EZ1mtS/m9nKR1ssGfjtKFX
7zyNb+OoZOES1JpEjke3vc1iwkri+PkG+KuREsvFvb0sK6X6Gq0xE8EF25765UGz
vuIwywDO
-----END CERTIFICATE-----
subject=CN = mx.google.com
issuer=C = US, O = Google Trust Services, CN = WR2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5003 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
ssl

1 个回答

  1. Best Answer

    因为现代客户端验证的是主题备用名称扩展中列出的域名,而不是主题字段。

    如果您查看证书,您将看到您提到的域 MX 名称:

    openssl x509 -noout -text -in google_mx.cer | grep -A1 'Subject Alt'

    返回:

    X509v3 Subject Alternative Name: 
    DNS:mx.google.com, DNS:smtp.google.com, DNS:aspmx.l.google.com, DNS:alt1.aspmx.l.google.com, DNS:alt2.aspmx.l.google.com, DNS:alt3.aspmx.l.google.com, DNS:alt4.aspmx.l.google.com, DNS:gmail-smtp-in.l.google.com, DNS:alt1.
gmail-smtp-in.l.google.com, DNS:alt2.gmail-smtp-in.l.google.com, DNS:alt3.gmail-smtp-in.l.google.com, DNS:alt4.gmail-smtp-in.l.google.com, DNS:gmr-smtp-in.l.google.com, DNS:alt1.gmr-smtp-in.l.google.com, DNS:alt2.gmr-smtp-in.l.google.com, DNS:alt3.gmr-smtp-in.l.google.com, DNS:alt4.gmr-smtp-in.l.google.com, DNS:mx1.smtp.goog, DNS:mx2.smtp.goog, DNS:mx3.smtp.goog, DNS:mx4.smtp.goog, DNS:aspmx2.googlemail.com, DNS:aspmx3.googlemail.com, DNS:aspmx4.googlemail.com, DNS:aspmx5.googlemail.com, DNS:gmr-mx.google.com
    • 14

相关问题