Engineering and technology notes

Cert Hostname DOES NOT VERIFY – Plesk Help Center

Jovan Stosic March 7, 2020

Symptoms

  • It is not possible to set up mail client to use secure connection because of SSL warning message about bad certificate
  • If check security with online tools like SSL Labs , it shows warnigns as the following one:

    Cert Hostname DOES NOT VERIFY (mail.example.com != *.example.com | DNS:*.*.example.com | DNS:*.example.com)
    So email is encrypted but the host is not verified

Cause

  • The installed SSL certificate is not wildcard.
  • The multidomain certificate is used and mail.example.com is absent.
  • The mail server certificate is checked using a certificate for a domain that is not used to secure the mail server.

Resolution

Install SSL wildcard certificate or request new SSL certificate having required domain in the list.

In case of multidomain certificate X509v3 Subject Alternative Name should be checked for a domain name.

openssl s_client -showcerts -connect mail.example.com:25 -starttls smtp 2>/dev/null | sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ | openssl x509 -noout -text | grep DNS

Note: When connecting to the mail server, make sure to use the domain name in the certificate issued during securing Plesk mail server.
Advise your customers to do the same. Otherwise, the mail client software may be unable to verify the mail server identity, which may cause issues when sending or receiving mail, like this one.

Source: Cert Hostname DOES NOT VERIFY – Plesk Help Center

Is GET data also encrypted in HTTPS?

Jovan Stosic March 1, 2020

When you GET

https://encrypted.google.com/search?q=%s

The %s query is encrypted? Or just the response? If it is not, why should Google serve it’s public content also with encryption?

——————

The entire request is encrypted, including the URL, and even the command (GET). The only thing an intervening party such as a proxy server can glean is the destination address and port.

Note, however, that the Client Hello packet of a TLS handshake can advertise the fully qualified domain name in plaintext via the SNI extension (thanks @hafichuk), which is used by all modern mainstream browsers, though some only on newer OSes.

EDIT: (Since this just got me a “Good Answer” badge, I guess I should answer the entire question…)

The entire response is also encrypted; proxies cannot intercept any part of it.

Google serves searches and other content over https because not all of it is public, and you might also want to hide some of the public content from a MITM. In any event, it’s best to let Google answer for themselves.

https://stackoverflow.com/questions/4143196/is-get-data-also-encrypted-in-https

(MMV) Ethernet Shield W5100 connection issue

Jovan Stosic February 26, 2020
I have also experienced this problem and from the research I have done there are a number of common parameters:

– The W5100 board is a cheap version from china
– The resistor network immediately behind the Rj45 socket has the value 511 on it (its small get a magnifying glass – it is a black rectangle with 8 connections like a mini IC)

Basically it would appear this component is not correct. I should be 510 or close to this value. Because it is 10 times over spec it is much more sensitive to switches which are sensitive to the voltage on the network.

There are 3 possible fixes:

– Change to a switch that is not as sensitive. There is some discussion on the board about this.
– Change the resistor network to something close to the 49.9R that the arduino schematics suggest it should be. I have only seen one post where someone has done this and gotten it to work. This is fiddly due to the components being so small and surface mount … you would have to be keen to do this.
– Buy a more reputable brand wiznet board or switch to the even cheaper ENC28J60 boards which dont seem to have the same problems.

 
————————————————————————-
Ihope, ican help. I have 3 Ethernet Shields W5100 from China bought. 2 of them had the
erroneous placement. A faulty connection occurs in particular at the when used as a Web client.
The incorrect line termination is apparent in reflections that prevent the connection.
I’ve tried everything, 4 different switches, short lines, long lines … the result was not satisfactory.
Short and sweet – my solution was quite simple:
1. Check to see if the SMD resistors are labeled 511 – see above (important)
2. Installation of two additional resistors 120 Ohm on the circuit side (Bottom Layer),
immediately in connection to the Ethernet jack. One between  1-2, and the other between 3-6.
The body of the resistors should point downwards so that no short circuit with the USB socket of the underlying UNO occurs.
The “1” of the socket is the way to the left (shorter distance to the edge) when the Ethernet socket facing upward, of course, on the ladder page (Bottom Layer) seen.The other terminals follow slightly offset.
After installation, I never had problems again …
I hope my Google English was understandable enough

Source: Ethernet Shield W5100 connection issue

Server Name Indication – Wikipedia

Jovan Stosic February 23, 2020

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites (or any other service over TLS) to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested.

https://en.wikipedia.org/wiki/Server_Name_Indication