<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
I see this note and some examples on this page that include the DNS: option:</div>
<div style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<a href="http://wiki.cacert.org/FAQ/subjectAltName" id="LPlnk671144">http://wiki.cacert.org/FAQ/subjectAltName</a></div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<b>FAQ/subjectAltName (SAN)</b></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<b>What is subjectAltName ?</b></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin-top: 1em; margin-bottom: 1em; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin-top: 1em; margin-bottom: 1em; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
subjectAltName <span style="background-color: rgb(255, 255, 0);">must always be used (RFC 3280 4.2.1.7, 1. paragraph)</span>. CN is only evaluated if subjectAltName is not present and only for compatibility with old, non-compliant software. So if you set subjectAltName,
you have to use it for all host names, email addresses, etc., not just the "additional" ones.</div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<b>subjectAltName and CAcert CSR parser</b></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin-top: 1em; margin-bottom: 1em; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt;">
<span style="color: rgb(0, 0, 0);">The CSR parser strips any commonNames and subjectAltNames if the system can't match the domain in the system to your account, you can view domains listed on your account by going to the domains section of the website after
you log in, and then clicking on </span><span style="color: rgb(0, 153, 0);"><a href="https://www.cacert.org/account.php?id=9" id="OWA3cc51383-cfce-cc14-ae6d-00f367003a44" class="https OWAAutoLink" style="color: rgb(0, 153, 0);">View</a></span><span style="color: rgb(0, 0, 0);">.
(For this link to work, you have to log in with your username and password, not with a client certificate.)</span></div>
<div class="elementToProof" style="text-align: left; text-indent: 0px; margin-top: 1em; margin-bottom: 1em; font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
According to the standards commonName will be ignored if you supply a subjectAltName in the certificates, verified to be working in both the latest version of MS IE and Firefox (as of 2005/05/12)...</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 14pt; color: rgb(0, 0, 0);">
RW<br>
</div>
<div class="elementToProof" id="Signature">
<div style="font-size:14pt;color:#000000;font-family:Calibri,Helvetica,sans-serif" dir="ltr" id="divtagdefaultwrapper">
<p style="margin-top: 0px; margin-bottom: 0px;"><br>
</p>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> bind-users <bind-users-bounces@lists.isc.org> on behalf of Klaus Darilion via bind-users <bind-users@lists.isc.org><br>
<b>Sent:</b> Tuesday, March 4, 2025 8:55 AM<br>
<b>To:</b> Klaus Darilion <klaus.darilion@nic.at>; Ondřej Surý <ondrej@isc.org><br>
<b>Cc:</b> bind-users@isc.org <bind-users@isc.org><br>
<b>Subject:</b> RE: XoT Testing: TLS peer certificate verification failed</font>
<div> </div>
</div>
<style>
<!--
@font-face
{font-family:"Cambria Math"}
@font-face
{font-family:Calibri}
@font-face
{font-family:Aptos}
@font-face
{font-family:Tahoma}
p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif}
a:link, span.x_MsoHyperlink
{color:#467886;
text-decoration:underline}
span.x_E-MailFormatvorlage20
{font-family:"Aptos",sans-serif;
color:windowtext}
.x_MsoChpDefault
{font-size:10.0pt}
@page WordSection1
{margin:70.85pt 70.85pt 2.0cm 70.85pt}
div.x_WordSection1
{}
-->
</style>
<div lang="EN-US" link="#467886" vlink="purple" style="word-wrap:break-word">
<div style="font-size:9pt; font-family:'Calibri',sans-serif">
<div style="background-color:#D5EAFF; border:1px dotted #003333; padding:.8em"><span style="font-size:10pt; font-family:'Cambria','times new roman','garamond',serif; color:#ff0000">This email originated from outside of TESLA
</span><br>
<p style="font-size:8pt; line-height:10pt; font-family:'Cambria','times roman',serif">
Do not click links or open attachments unless you recognize the sender and know the content is safe.
</p>
</div>
</div>
<div>
<div class="x_WordSection1">
<p class="x_MsoNormal">I think I have solved the mistery: Bind (or openssl, who ever does the validation) requires Subject Alternative Name. Regardless if using the hostname or the IP address, they must be in the subject alternative name. When using self-signed
certificates, it is probably best to put both in the SAN. Using the following certificate on the server, the validation in dig works fine, regardless if using the hostname or IP address.
</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">If somebody wants to test XoT, that might help bootstrapping:</p>
<p class="x_MsoNormal">openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout san-private.key -out san-certificate.crt -subj "/CN=xot-test-primary.ops.nic.at" -addext "subjectAltName=DNS:xot-test-primary.ops.nic.at,IP:193.46.106.51"</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">regards</p>
<p class="x_MsoNormal">Klaus</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="x_MsoNormal"><b><span style="font-family:"Calibri",sans-serif">From:</span></b><span style="font-family:"Calibri",sans-serif"> bind-users <bind-users-bounces@lists.isc.org>
<b>On Behalf Of </b>Klaus Darilion via bind-users<br>
<b>Sent:</b> Tuesday, March 4, 2025 11:31 AM<br>
<b>To:</b> Ondřej Surý <ondrej@isc.org><br>
<b>Cc:</b> bind-users@isc.org<br>
<b>Subject:</b> RE: XoT Testing: TLS peer certificate verification failed</span></p>
</div>
</div>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">In my case it should not be SNI relevant, as the server only has 1 certificate to present. Anyways, I will now test with a certificate that uses the IP address in the Subject CN.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Regards</p>
<p class="x_MsoNormal">Klaus</p>
<p class="x_MsoNormal"> </p>
<div>
<p class="x_MsoNormal">-- </p>
<p class="x_MsoNormal">Klaus Darilion, Head of Operations</p>
<p class="x_MsoNormal">nic.at GmbH, Jakob-Haringer-Straße 8/V</p>
<p class="x_MsoNormal">5020 Salzburg, Austria</p>
</div>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="x_MsoNormal"><b><span lang="DE" style="font-family:"Calibri",sans-serif">From:</span></b><span lang="DE" style="font-family:"Calibri",sans-serif"> Ondřej Surý <<a href="mailto:ondrej@isc.org">ondrej@isc.org</a>>
<br>
<b>Sent:</b> Tuesday, March 4, 2025 10:05 AM<br>
<b>To:</b> Klaus Darilion <<a href="mailto:klaus.darilion@nic.at">klaus.darilion@nic.at</a>><br>
<b>Cc:</b> <a href="mailto:bind-users@isc.org">bind-users@isc.org</a><br>
<b>Subject:</b> Re: XoT Testing: TLS peer certificate verification failed</span></p>
</div>
</div>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Sounds like this: <a href="https://gitlab.isc.org/isc-projects/bind9/-/issues/3896">https://gitlab.isc.org/isc-projects/bind9/-/issues/3896</a><span style="font-size:12.0pt"></span></p>
<div>
<div>
<p class="x_MsoNormal">--</p>
</div>
<p class="x_MsoNormal">Ondřej Surý — ISC (He/Him)</p>
<div>
<p class="x_MsoNormal"> </p>
</div>
<div>
<p class="x_MsoNormal">My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</p>
</div>
</div>
<div>
<p class="x_MsoNormal" style="margin-bottom:12.0pt"> </p>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<p class="x_MsoNormal" style="margin-bottom:12.0pt">On 4. 3. 2025, at 10:01, Klaus Darilion via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:</p>
</blockquote>
</div>
<blockquote style="margin-top:5.0pt; margin-bottom:5.0pt">
<div>
<p class="x_MsoNormal"><span style="font-family:"Tahoma",sans-serif"></span> <span style="font-size:12.0pt">
</span></p>
<p class="x_MsoNormal">May it be, that the validation is just broken? Even when using dig, and explicitely use the hostname of the Primary (which uses its hostname in its certificate) in @... and tls-hostname, the verification fails due to hostname mismatch:</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"># dig @xot-test-primary.ops.nic.at test.klaus +tls axfr +tls-ca=ca.crt +tls-hostname=xot-test-primary.ops.nic.at +tls-certfile=certificate.crt +tls-keyfile=private.key</p>
<p class="x_MsoNormal">;; TLS peer certificate verification for 193.46.106.51#853 failed: hostname mismatch</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Regards</p>
<p class="x_MsoNormal">Klaus</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<div style="border:none; border-left:solid blue 1.5pt; padding:0cm 0cm 0cm 4.0pt">
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0cm 0cm 0cm">
<p class="x_MsoNormal"><b><span style="font-family:"Calibri",sans-serif">From:</span></b><span style="font-family:"Calibri",sans-serif"> Klaus Darilion
<br>
<b>Sent:</b> Thursday, February 27, 2025 5:11 PM<br>
<b>To:</b> Greg Choules via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>><br>
<b>Subject:</b> XoT Testing: TLS peer certificate verification failed</span></p>
</div>
</div>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Hi! I want to test XoT between Bind9.20.6 primary and secondary.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">On the primary I created a self-signed certificate with CN=xot-test-primary.ops.nic.at and configured bind:</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"># Create a 10years valid self-signed certificate:</p>
<p class="x_MsoNormal"># openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048</p>
<p class="x_MsoNormal"># openssl req -new -key private.key -out request.csr -subj "/CN=xot-test-primary.ops.nic.at"</p>
<p class="x_MsoNormal"># openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt</p>
<p class="x_MsoNormal"># openssl x509 -text -noout -in certificate.crt</p>
<p class="x_MsoNormal"># chmod g+r private.key</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># Create DH-params file to enable Diffie-Hellman Perfect Forward Secrecy:</p>
<p class="x_MsoNormal"># openssl dhparam -out dhparam.pem 4096</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># <a href="https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls">
https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls</a></p>
<p class="x_MsoNormal">tls xot-test {</p>
<p class="x_MsoNormal"> cert-file "/etc/bind/certificate.crt";</p>
<p class="x_MsoNormal"> dhparam-file "/etc/bind/dhparam.pem";</p>
<p class="x_MsoNormal"> key-file "/etc/bind/private.key";</p>
<p class="x_MsoNormal">};</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">options {</p>
<p class="x_MsoNormal"> listen-on { 193.46.106.51; };</p>
<p class="x_MsoNormal"> listen-on-v6 { 2a02:850:1:4::51; };</p>
<p class="x_MsoNormal"> listen-on tls xot-test { 193.46.106.51; };</p>
<p class="x_MsoNormal"> listen-on-v6 tls xot-test { 2a02:850:1:4::51; };</p>
<p class="x_MsoNormal">};</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">That seems to work fine. Then I configured the secondary similar:</p>
<p class="x_MsoNormal"># Create a 10years valid self-signed certificate:</p>
<p class="x_MsoNormal"># openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048</p>
<p class="x_MsoNormal"># openssl req -new -key private.key -out request.csr -subj "/CN=xot-test-secondary.ops.nic.at"</p>
<p class="x_MsoNormal"># openssl x509 -req -days 3650 -in request.csr -signkey private.key -out certificate.crt</p>
<p class="x_MsoNormal"># openssl x509 -text -noout -in certificate.crt</p>
<p class="x_MsoNormal"># chmod g+r private.key</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># Create DH-params file to enable Diffie-Hellman Perfect Forward Secrecy:</p>
<p class="x_MsoNormal"># openssl dhparam -out dhparam.pem 4096</p>
<p class="x_MsoNormal">#</p>
<p class="x_MsoNormal"># <a href="https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls">
https://bind9.readthedocs.io/en/v9.20.6/reference.html#namedconf-statement-tls</a></p>
<p class="x_MsoNormal">tls xot-test {</p>
<p class="x_MsoNormal"> #ca-file "/etc/bind/ca.crt"; # Activating ca-file force client-certificates for incoming TLS connections</p>
<p class="x_MsoNormal"> cert-file "/etc/bind/certificate.crt";</p>
<p class="x_MsoNormal"> dhparam-file "/etc/bind/dhparam.pem";</p>
<p class="x_MsoNormal"> key-file "/etc/bind/private.key";</p>
<p class="x_MsoNormal"> #remote-hostname "xot-test-primary.ops.nic.at";</p>
<p class="x_MsoNormal">}; // may occur multiple times</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">zone "test.klaus" {</p>
<p class="x_MsoNormal"> type secondary;</p>
<p class="x_MsoNormal"> file "/var/cache/bind/test.klaus"; // Path to your zone file</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> primaries {</p>
<p class="x_MsoNormal"> 193.46.106.51 key "tsig-key" tls xot-test;</p>
<p class="x_MsoNormal"> 2a02:850:1:4::51 key "tsig-key" tls xot-test;</p>
<p class="x_MsoNormal"> };</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">I copied the primary’s certificate.crt to the secondary as ca.crt.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Using opportunistic TLS, zone transfer works fine.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">But if I enable strict TLS, either by uncommenting ‘ca-file’ or ‘remote-hostname’ option, the TLS verification fails:</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> transfer of 'test.klaus/IN' from 193.46.106.51#853: failed to connect: TLS peer certificate verification failed</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">But the setup on the primary looks fine. I can successfully open a TLS connection when using curl:</p>
<p class="x_MsoNormal"># curl -v <a href="https://xot-test-primary.ops.nic.at:853">
https://xot-test-primary.ops.nic.at:853</a> --cacert ca.crt</p>
<p class="x_MsoNormal">* Host xot-test-primary.ops.nic.at:853 was resolved.</p>
<p class="x_MsoNormal">* IPv6: (none)</p>
<p class="x_MsoNormal">* IPv4: 193.46.106.51</p>
<p class="x_MsoNormal">* Trying 193.46.106.51:853...</p>
<p class="x_MsoNormal">* Connected to xot-test-primary.ops.nic.at (193.46.106.51) port 853</p>
<p class="x_MsoNormal">* ALPN: curl offers h2,http/1.1</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS handshake, Client hello (1):</p>
<p class="x_MsoNormal">* CAfile: ca.crt</p>
<p class="x_MsoNormal">* CApath: /etc/ssl/certs</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Server hello (2):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Certificate (11):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, CERT verify (15):</p>
<p class="x_MsoNormal">* TLSv1.3 (IN), TLS handshake, Finished (20):</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):</p>
<p class="x_MsoNormal">* TLSv1.3 (OUT), TLS handshake, Finished (20):</p>
<p class="x_MsoNormal">* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / RSASSA-PSS</p>
<p class="x_MsoNormal">* ALPN: server did not agree on a protocol. Uses default.</p>
<p class="x_MsoNormal">* Server certificate:</p>
<p class="x_MsoNormal">* subject: CN=xot-test-primary.ops.nic.at</p>
<p class="x_MsoNormal">* start date: Feb 27 14:02:56 2025 GMT</p>
<p class="x_MsoNormal">* expire date: Feb 25 14:02:56 2035 GMT</p>
<p class="x_MsoNormal">* common name: xot-test-primary.ops.nic.at (matched)</p>
<p class="x_MsoNormal">* issuer: CN=xot-test-primary.ops.nic.at</p>
<p class="x_MsoNormal">* SSL certificate verify ok.</p>
<p class="x_MsoNormal">* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">So, what am I doing wrong? Is Bind using a not-trivial TLS certificate verification? I also failed getting more verbose verification details. Any help is appreciated.</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal">Thanks</p>
<p class="x_MsoNormal">Klaus</p>
<p class="x_MsoNormal"> </p>
<p class="x_MsoNormal"> </p>
</div>
<p class="x_MsoNormal"><span style="font-size:12.0pt">-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at
<a href="https://www.isc.org/contact/">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></span></p>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</body>
</html>