ietf
[Top] [All Lists]

Re: Certificate mismatch

2015-05-22 03:39:01
tom petch wrote:

<ynir(_dot_)ietf(_at_)gmail(_dot_)com> wrote:

tom petch <daedulus(_at_)btconnect(_dot_)com> wrote:

Running on a backup computer, I get a certificate mismatch message when I 
try to access the datatracker using the link from the IESG page and a 
warning that I really should not proceed to this dangerous website.

Indeed, the website is datatracker.ietf.org and the certificate 
*.iab.org

Has something changed, or is this just a configuration quirk (Internet 
Explorer) on my backup system?

Is your Internet Explorer old enough to not send SNI?

Which, according to Wikipedia, is equivalent to asking if your backup 
computer is running XP.

Spot on.  I know SNI well but had not realised that it was  lacking from the 
tried and tested, trusty XP (which makes it a good choice for a backup 
system:-).


For the IETF web sites in question, this explanation is a pretty
lame excuse for the server-side failure to present a reasonable server
certificate.  It's not like the IAB and the datatracker are from
completely seperate competing secretive organtizations that the current
setup would be a vital requirement.

The obvious correct fix would be to obtain one single proper server
certificate that lists the all the necessary hostnames as "SubjectAltNames"
of type dnsName (see rfc2818 Section 3), and then interop would just work,
even for stuff that isn't (heart)bleeding edge technology.  At least 
in the past, interoperability was considered important in the IETF.


-Martin