Bertalan Zoltán Péter writes: > Mainly, my problem is that I am unsure in general about this setup (the > manual doesn't have an example for this and I struggle to find any guide > online) and that I can see relayd not using the correct keypairs: > > ---8<--- > $ openssl s_client -connect example.com:443 | grep CN > [...] > depth=0 CN = example.com > [...] > subject=/CN=example.com > [...] > > $ openssl s_client -connect matrix.example.com:443 | grep CN > [...] > depth=0 CN = example.com > [...] > subject=/CN=example.com > [...] > ---8<--- > > If I am not mistaken, the CN for the second request should be > 'matrix.example.com' if it were to work as I would like.
I don't claim to understand all of openssl's output, but when I try it on my certs I get various CNs that I don't expect either, even though I'm quite confident the certificate has a valid hostname. For a simpler test, try ftp(1), which will fail if the certificate hostname doesn't match the domain visited: $ ftp -o - https://wrong.host.badssl.com/ Trying 104.154.89.105... Requesting https://wrong.host.badssl.com/ ftp: SSL write error: name `wrong.host.badssl.com' not present in server certificate -- Anthony J. Bentley
