[Chugalug] Odd EPB Behavior

Billy flushy at flushy.net
Mon Mar 3 20:38:10 UTC 2014


Others have already explained this, but I think there can be another explanation.

We use a lot of load balancers. Some are what's called wide Ip or global load balancing.

That's a fancy word for "change DNS sometimes."

Wide ip has hardware load balancers in two (or more) geographical locations. When you request a name, the time to live (ttl) for the name is set as such, that your resolver pretty much is forced to request from its delegation server, which then is forced to ask the root server chain, all the way down to asking the wide ip DNS appliance for the name (a lot of this DNS to DNS server talk is cached).

So one minute you get an ip in Orlando. The next, an ip in Tampa. Conversely, connecting to that ip in Tampa routes you to one ip in a cluster of machines - in Tampa.

So, you have one cert on 4, 10, or 100 machines.

The only way to make that work is to connect to the DNS name that matches the Common Name (CN) on the cert. if you connect to say Orlandovip-www.company.com, the browser has no way to determine if Orlandovip-www is the same as www.company.com or not.

If you DO want to use the ip for the cert name, I think you can if you make the reverse DNS look up match the forward DNS look up. Then if you connect to the ip, when the browser performs the reverse lookup, gets the name, and matches the name to the same ip using the forward lookup -- all the given names will match and everything is good.

I'd have to test that, though.

-- 
--b
Sent from my iPhone

> On Mar 3, 2014, at 11:53 AM, AverageSecurityGuy <stephen at averagesecurityguy.info> wrote:
> 
> I’m sure that EPB does caching on its network but I’ve not seen anything like this before. If you go to http://66.18.36.99/ then you will get Google’s home page. If you go to https://66.18.36.99/ then Firefox complains that the cert is only for *.google.com. Is this typical caching behavior or is EPB, MiTM Google?
> 
> --
> Stephen Haywood
> Owner, ASG Consulting
> CISSP, OSCP
> 423.305.3700
> asgconsulting.co
> 
> 
> 
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


More information about the Chugalug mailing list