0

I just learned that, for whatever reason, domain names can get resolved to the wrong IP address, therefore requests can hit the wrong servers. (Just some examples of erroneous domain resolutions from Server Fault: 1, 2, 3.)

Now, if this scenario does happen and the server is configured to accept every HTTPS requests (such as in the NGINX config at the bottom), where will the process fail?

For example, if the 2 parties are server and client:

  • server's TLS certificate is for domain.name where domain.name resolves to the IP address of server.

  • client wants to visit https://another.org/, but, for some unforeseen reason, it resolves to server's IP address.

I have a vague idea:

  1. client (erroneously) hits up server with an HTTPS request

  2. This kicks off a TLS handshake

    ... which should go through because, as far as I know, client will only verify the validity of server's certificate, and not if the domain name client requested matches the domain in server's certificate.

  3. The first requests go through the newly established TLS connection, but all will fail in the application level as nothing makes sense.

The fairly standard NGINX config:

#############
# CATCH-ALL #
#############
server {
   listen 80 default_server; 
   server_name _;

return 404;
}


##########################


HTTP-to-HTTPS redirect


##########################
server {
    listen 80;
    server_name ourdomain.com;


return 301 https://ourdomain.com$request_uri;



}


#########


HTTPS


#########
server {
    listen 443 default_server ssl http2;


ssl_certificate /path/to/signed_cert_plus_intermediates;
ssl_certificate_key /path/to/private_key;

# ... rest of the instructions ...



}
toraritte
  • 129
  • 8
  • 1
    How the server is authenticated is basically how the server certificate is validated - therefore marked as duplicate of such a question. – Steffen Ullrich Aug 10 '23 at 16:54
  • 1
    @SteffenUllrich The "duplicate" thread is fantastic, I was definitely missing that one, thanks! I simplified my question in the meantime to show how it differs. – toraritte Aug 10 '23 at 17:25
  • 1
    I've added more duplicate questions which should solve "as far as I know, client will only verify the validity of server's certificate, and not if the domain name client requested matches the domain in server's certificate.". In short - the client will check the requested domain name against the certificate. – Steffen Ullrich Aug 10 '23 at 17:54
  • 1
    You're awesome - thank you for this detective work and, in fact, answering my question! – toraritte Aug 10 '23 at 18:04
  • 1
    while i believe the essence of this question is awnsered in the other questions.. it does post a unique way of looking at the problem that (in my view) merits its own question.

    @toraritte can you reformulate this question to something like: "in a HTTPS scenario where there is a 'catch all' server, and a client gets routed to this server for some reason. where in the process will the error happen that prevents exchange of data?"

     – LvB Aug 14 '23 at 09:52

0 Answers0