←back to thread

1.1.1.1: Fast, privacy-first consumer DNS service

(blog.cloudflare.com)
1895 points _l4jh | 6 comments | 01 Apr 18 12:14 UTC | HN request time: 0.442s | source | bottom
1. milankragujevic ◴[01 Apr 18 12:44 UTC] No.16727989[source]
uhm how can you get an ssl cert for an IP?
replies(4): >>16728020 #>>16728031 #>>16728170 #>>16728352 #
2. nkozyra ◴[01 Apr 18 12:53 UTC] No.16728020[source]
It's just uncommon but supported

https://stackoverflow.com/questions/1095780/are-ssl-certific...

3. rocqua ◴[01 Apr 18 12:55 UTC] No.16728031[source]
Apparently, you need to provide it as a Subject Alternative Name (SAN).

This is the entry for the cert used:

    DNS Name=*.cloudflare-dns.com
    IP Address=1.1.1.1
    IP Address=1.0.0.1
    DNS Name=cloudflare-dns.com
    IP Address=2606:4700:4700:0000:0000:0000:0000:1111
    IP Address=2606:4700:4700:0000:0000:0000:0000:1001
replies(1): >>16728092 #
4. tialaramex ◴[01 Apr 18 13:11 UTC] No.16728092[source]
SAN is the only correct way to write any kind of name for servers on the Internet in a certificate. The "Common Name" was left as a compatibility feature like 20 years ago when SANs were invented and then it rusted into place, but is no longer examined by current Firefox or Chrome browsers for "real" certificates from the public Internet. Chrome shipped releases for a while with a bug where they'd complain the server's cert had the wrong "Common Name" when actually they never checked CN at all, and so it might even have the right Common Name, but they really meant "Your SANs don't match fool" and hadn't updated the error text.

Because crappy software (looking at you here OpenSSL) makes writing SANs into a Certificate Subject Request way harder than it needs to be, a lot of CAs (including Let's Encrypt) will take a CSR that says "My Common Name is foo.example" and sigh, and issue a cert which adds SAN dnsName foo.example, because they know that's what you want. Really somebody should fix the software, one of these days.

In older Windows versions, SChannel (Microsoft's implementation of SSL/TLS) doesn't understand ipAddress, and thinks the correct way to match an ipAddress against a certificate is to turn the address into ASCII text of dotted decimals and compare that to the dnsName entries. This, unsurprisingly, is not standards compliant.

It's good to see a CA not trying to fudge this, but the consequence is probably that if you have older Windows (XP? Maybe even something newer) these certs don't check out as valid for the site. Eh. Upgrade already.

5. bogomipz ◴[01 Apr 18 13:32 UTC] No.16728170[source]
per rfc5280:

>"4.2.1.6. Subject Alternative Name The subject alternative name extension allows identities to be bound to the subject of the certificate. These identities may be included in addition to or in place of the identity in the subject field of the certificate. Defined options include an Internet electronic mail address, a DNS name, an IP address, and a Uniform Resource Identifier(URI). Other options exist, including completely local definitions."[1]

[1] https://tools.ietf.org/html/rfc5280#section-4.2.1.6

6. ◴[01 Apr 18 14:12 UTC] No.16728352[source]