Production server's certificate has the wrong hostname
The production server lvalert.cgca.uwm.edu
is providing me with a certificate for the wrong hostname, lvalert.ligo.uwm.edu
. I think that it is only possible to connect to the production server at all because this client is not even checking the certificates, so we are vulnerable to a MITM attack every time we use lvalert.
CC @alexander-pace, @tanner.prestegard.
$ openssl x509 -text <<EOF
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIIPh7wQIhBDF4wDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UE
AwwUbHZhbGVydC5saWdvLnV3bS5lZHUwHhcNMTgwNjIxMTQ0MjAzWhcNMjMwNjIw
MTQ0MjAzWjAfMR0wGwYDVQQDDBRsdmFsZXJ0LmxpZ28udXdtLmVkdTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAI00CXvfhFYeY7D6fU5PgIsYOsKmC6d3
BI7N32sxV0bUJwQ1q1kJDBG/HcBSVk+MJDW0Cx9SeunaDJrUlAtN0Hb4rwLrCGlP
QbxaaJSdVCTEzfQc1pIVDQckIqD2+rC81W49gWOUdfB/uwrvC1iwRApsvXf2PtgL
RTRHDpQFJdrqQbQCIaahucjrV0hyM5RkL0di9AJBVLZ/cgEiyccAr7RduHdX2QS/
8HFz2QDJH2OVdf8pkBcheeh2ZQ6Cz7bMPAtThrqCGdru+TpfWvBG+KgFuo/hW5Vt
VTUO96eHSUYIi5Vt0mg1x3Y3jSN/SLywcB1wgh9wFll4YWuA+zN7Ef0CAwEAAaNx
MG8wLQYDVR0RBCYwJKAiBggrBgEFBQcIBaAWDBRsdmFsZXJ0LmxpZ28udXdtLmVk
dTAdBgNVHQ4EFgQUXlMpPYgeQcZIEP7bT/urCuGhfB0wHwYDVR0jBBgwFoAUXlMp
PYgeQcZIEP7bT/urCuGhfB0wDQYJKoZIhvcNAQELBQADggEBAIbCC4n9yrwsZZcw
KsFUi/OGUCuSVxNrRJQsz3Oj0ibvnmGfrLxL9JUnhW+AN8OK2wK2IgFUUk7+wYdk
0jz4SyZHVmUwW6KvADXrDf5oV+0RXhikp2PchXlCIaUBKF5HynvvT1F9UfN4uNK2
dI35HQKnILs76kQgDET7d4Dg+/0EpZxwiRRqvTuLr8Uts9K6zy+lzx1qWl0FFjvq
iZ2fLubvVPy4W0PA3EJ8+6gyaI0Oik495lMIjCm35AuxQWmKEHZmlcPrEVrNAe+M
BwvgCsPDPoy8fymOEgm3UfWCHStBNUNX1xD0Cm6fXi1KkqaEiKFNMMomN6phwQB+
lo+2Zb8=
-----END CERTIFICATE-----
EOF
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4476279239607389278 (0x3e1ef04088410c5e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=lvalert.ligo.uwm.edu
Validity
Not Before: Jun 21 14:42:03 2018 GMT
Not After : Jun 20 14:42:03 2023 GMT
Subject: CN=lvalert.ligo.uwm.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:8d:34:09:7b:df:84:56:1e:63:b0:fa:7d:4e:4f:
80:8b:18:3a:c2:a6:0b:a7:77:04:8e:cd:df:6b:31:
57:46:d4:27:04:35:ab:59:09:0c:11:bf:1d:c0:52:
56:4f:8c:24:35:b4:0b:1f:52:7a:e9:da:0c:9a:d4:
94:0b:4d:d0:76:f8:af:02:eb:08:69:4f:41:bc:5a:
68:94:9d:54:24:c4:cd:f4:1c:d6:92:15:0d:07:24:
22:a0:f6:fa:b0:bc:d5:6e:3d:81:63:94:75:f0:7f:
bb:0a:ef:0b:58:b0:44:0a:6c:bd:77:f6:3e:d8:0b:
45:34:47:0e:94:05:25:da:ea:41:b4:02:21:a6:a1:
b9:c8:eb:57:48:72:33:94:64:2f:47:62:f4:02:41:
54:b6:7f:72:01:22:c9:c7:00:af:b4:5d:b8:77:57:
d9:04:bf:f0:71:73:d9:00:c9:1f:63:95:75:ff:29:
90:17:21:79:e8:76:65:0e:82:cf:b6:cc:3c:0b:53:
86:ba:82:19:da:ee:f9:3a:5f:5a:f0:46:f8:a8:05:
ba:8f:e1:5b:95:6d:55:35:0e:f7:a7:87:49:46:08:
8b:95:6d:d2:68:35:c7:76:37:8d:23:7f:48:bc:b0:
70:1d:70:82:1f:70:16:59:78:61:6b:80:fb:33:7b:
11:fd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
othername:<unsupported>
X509v3 Subject Key Identifier:
5E:53:29:3D:88:1E:41:C6:48:10:FE:DB:4F:FB:AB:0A:E1:A1:7C:1D
X509v3 Authority Key Identifier:
keyid:5E:53:29:3D:88:1E:41:C6:48:10:FE:DB:4F:FB:AB:0A:E1:A1:7C:1D
Signature Algorithm: sha256WithRSAEncryption
86:c2:0b:89:fd:ca:bc:2c:65:97:30:2a:c1:54:8b:f3:86:50:
2b:92:57:13:6b:44:94:2c:cf:73:a3:d2:26:ef:9e:61:9f:ac:
bc:4b:f4:95:27:85:6f:80:37:c3:8a:db:02:b6:22:01:54:52:
4e:fe:c1:87:64:d2:3c:f8:4b:26:47:56:65:30:5b:a2:af:00:
35:eb:0d:fe:68:57:ed:11:5e:18:a4:a7:63:dc:85:79:42:21:
a5:01:28:5e:47:ca:7b:ef:4f:51:7d:51:f3:78:b8:d2:b6:74:
8d:f9:1d:02:a7:20:bb:3b:ea:44:20:0c:44:fb:77:80:e0:fb:
fd:04:a5:9c:70:89:14:6a:bd:3b:8b:af:c5:2d:b3:d2:ba:cf:
2f:a5:cf:1d:6a:5a:5d:05:16:3b:ea:89:9d:9f:2e:e6:ef:54:
fc:b8:5b:43:c0:dc:42:7c:fb:a8:32:68:8d:0e:8a:4e:3d:e6:
53:08:8c:29:b7:e4:0b:b1:41:69:8a:10:76:66:95:c3:eb:11:
5a:cd:01:ef:8c:07:0b:e0:0a:c3:c3:3e:8c:bc:7f:29:8e:12:
09:b7:51:f5:82:1d:2b:41:35:43:57:d7:10:f4:0a:6e:9f:5e:
2d:4a:92:a6:84:88:a1:4d:30:ca:26:37:aa:61:c1:00:7e:96:
8f:b6:65:bf
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIIPh7wQIhBDF4wDQYJKoZIhvcNAQELBQAwHzEdMBsGA1UE
AwwUbHZhbGVydC5saWdvLnV3bS5lZHUwHhcNMTgwNjIxMTQ0MjAzWhcNMjMwNjIw
MTQ0MjAzWjAfMR0wGwYDVQQDDBRsdmFsZXJ0LmxpZ28udXdtLmVkdTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAI00CXvfhFYeY7D6fU5PgIsYOsKmC6d3
BI7N32sxV0bUJwQ1q1kJDBG/HcBSVk+MJDW0Cx9SeunaDJrUlAtN0Hb4rwLrCGlP
QbxaaJSdVCTEzfQc1pIVDQckIqD2+rC81W49gWOUdfB/uwrvC1iwRApsvXf2PtgL
RTRHDpQFJdrqQbQCIaahucjrV0hyM5RkL0di9AJBVLZ/cgEiyccAr7RduHdX2QS/
8HFz2QDJH2OVdf8pkBcheeh2ZQ6Cz7bMPAtThrqCGdru+TpfWvBG+KgFuo/hW5Vt
VTUO96eHSUYIi5Vt0mg1x3Y3jSN/SLywcB1wgh9wFll4YWuA+zN7Ef0CAwEAAaNx
MG8wLQYDVR0RBCYwJKAiBggrBgEFBQcIBaAWDBRsdmFsZXJ0LmxpZ28udXdtLmVk
dTAdBgNVHQ4EFgQUXlMpPYgeQcZIEP7bT/urCuGhfB0wHwYDVR0jBBgwFoAUXlMp
PYgeQcZIEP7bT/urCuGhfB0wDQYJKoZIhvcNAQELBQADggEBAIbCC4n9yrwsZZcw
KsFUi/OGUCuSVxNrRJQsz3Oj0ibvnmGfrLxL9JUnhW+AN8OK2wK2IgFUUk7+wYdk
0jz4SyZHVmUwW6KvADXrDf5oV+0RXhikp2PchXlCIaUBKF5HynvvT1F9UfN4uNK2
dI35HQKnILs76kQgDET7d4Dg+/0EpZxwiRRqvTuLr8Uts9K6zy+lzx1qWl0FFjvq
iZ2fLubvVPy4W0PA3EJ8+6gyaI0Oik495lMIjCm35AuxQWmKEHZmlcPrEVrNAe+M
BwvgCsPDPoy8fymOEgm3UfWCHStBNUNX1xD0Cm6fXi1KkqaEiKFNMMomN6phwQB+
lo+2Zb8=
-----END CERTIFICATE-----