[Chugalug] Odd EPB Behavior

Dave Brockman dave at brockmans.com
Mon Mar 3 21:22:32 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 3/3/2014 3:38 PM, Billy wrote:
> If you DO want to use the ip for the cert name, I think you can if 
> you make the reverse DNS look up match the forward DNS look up.
> Then if you connect to the ip, when the browser performs the
> reverse lookup, gets the name, and matches the name to the same ip
> using the forward lookup -- all the given names will match and
> everything is good.
> 
> I'd have to test that, though.

Does HTTP even do a RDNS lookup?  If you want the cert valid when you
access via IP address, the IP address needs to be either the CN or in
the SAN attributes on the cert.  Matching RDNS not required, I'm 99.9%
certain.  Most RDNS entries are more enlightening than 30.190.174.184.
or 30.190.174.184.in-addr.arpa.

Regards,

dtb

- -- 
"Some things in life can never be fully appreciated nor understood
unless experienced firsthand. Some things in networking can never be
fully understood by someone who neither builds commercial networking
equipment nor runs an operational network." RFC 1925
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTFPKYAAoJEMP+wtEOVbcd6gAH/2hyck4B4BATYgWxGR9cXpXo
ZKhRc3sJ/neJmCzI2MgvHeQrgn5ggsIsZepHvG4fCO0vhw8Zl/qYnjNEPfND8Xkw
eSsZf+Ru3hARgrzY2KUmO7u+r0D2k1GOFFRVLdYP9YxKd6BYwR+NMHN0X14gP5YH
ZNdgaAa3kh8xchFeq+ymILDEEjUy1Yfofv98gFbMsi6yPJiPGFqTFenTV2I59nE1
kfsKt4Ol5RXEOQpXGUUn8I6AfpkGiFrIzDvcQOKN+oSQK9hfjapYG9TLtDsKtiDK
HMRAGOdzrX/GCE2wDb1jSom8xQYbAy7CJGnPoQImCAg7c0e39pRr8ORlpsACDzM=
=TYY1
-----END PGP SIGNATURE-----


More information about the Chugalug mailing list