Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: DEBUG: print Subject Alternative Name #31

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Red54
Copy link
Contributor

@Red54 Red54 commented Sep 13, 2024

Before:

$ kdig +short +tls dns.google @223.5.5.5 -d
;; DEBUG: Querying for owner(dns.google.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com
;; DEBUG:      SHA-256 PIN: pa14rFR/bBJ25OSjCswaXu6YKWgQ2BDY5jhRRicqeik=
;; DEBUG:  #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign ECC OV SSL CA 2018
;; DEBUG:      SHA-256 PIN: KJpedoXG+Rd6IJnYeOJjxUjlaDEDI8K1vCBBgzeJkC4=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
8.8.4.4
8.8.8.8

After:

$ kdig +short +tls dns.google @223.5.5.5 -d
;; DEBUG: Querying for owner(dns.google.), class(1), type(1), server(223.5.5.5), port(853), protocol(TCP)
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=CN,ST=浙江省,L=杭州市,O=阿里巴巴(中国)网络技术有限公司,CN=*.alidns.com
;; DEBUG:      Subject Alternative Name (not critical):
			DNSname: *.alidns.com
			IPAddress: 223.5.5.5
			IPAddress: 223.6.6.6
			IPAddress: 120.55.203.44
			IPAddress: 47.103.166.57
			IPAddress: 47.108.0.63
			IPAddress: 39.103.26.204
			IPAddress: 139.129.137.137
			IPAddress: 47.122.8.11
			IPAddress: 123.184.198.22
			IPAddress: 113.142.83.132
			IPAddress: 113.240.88.172
			IPAddress: 123.151.107.5
			IPAddress: 182.40.70.12
			IPAddress: 8.129.152.230
			IPAddress: 1.71.20.37
			DNSname: alidns.com
;; DEBUG:      SHA-256 PIN: pa14rFR/bBJ25OSjCswaXu6YKWgQ2BDY5jhRRicqeik=
;; DEBUG:  #2, C=BE,O=GlobalSign nv-sa,CN=GlobalSign ECC OV SSL CA 2018
;; DEBUG:      SHA-256 PIN: KJpedoXG+Rd6IJnYeOJjxUjlaDEDI8K1vCBBgzeJkC4=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, skipping certificate verification
8.8.4.4
8.8.8.8

Signed-off-by: 谢致邦 (XIE Zhibang) <Yeking@Red54.com>
@salzmdan
Copy link
Member

Thank you for the proposed change. However, I don't think it's appropriate to extend the debug mode in this way.
You can achieve the same (or adjusted) result using:

$ gnutls-cli 223.5.5.5 -p 853 --print-cert < /dev/null | certtool -i | grep -e IPAddress: -e DNSname:
			DNSname: *.alidns.com
			IPAddress: 223.5.5.5
			IPAddress: 223.6.6.6
			IPAddress: 120.55.203.44
			IPAddress: 47.103.166.57
			IPAddress: 47.108.0.63
			IPAddress: 39.103.26.204
			IPAddress: 139.129.137.137
			IPAddress: 47.122.8.11
			IPAddress: 123.184.198.22
			IPAddress: 113.142.83.132
			IPAddress: 113.240.88.172
			IPAddress: 123.151.107.5
			IPAddress: 182.40.70.12
			IPAddress: 8.129.152.230
			IPAddress: 1.71.20.37
			DNSname: alidns.com

@Red54
Copy link
Contributor Author

Red54 commented Sep 14, 2024

@salzmdan I think printing the Subject Alternative Name is helpful for debugging, especially when +tls-ca is involved.

For example:

$ kdig +short +tls dns.google @162.14.21.56
8.8.4.4 
8.8.8.8
$
$ kdig +short +tls dns.google @162.14.21.56 +tls-ca
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server 162.14.21.56@853(TCP)
$
$ kdig +short +tls dns.google @223.5.5.5
8.8.4.4
8.8.8.8
$
$ kdig +short +tls dns.google @223.5.5.5 +tls-ca
8.8.8.8
8.8.4.4
$

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants