向node.js提供的不同证书与浏览器相对应 [英] Different certificate being presented to node.js vs the browser
问题描述
当我在浏览器中访问 https://gmail.com 时,我发送了301重定向到 https://mail.google.com 。当我尝试使用node.js做同样的事情时,我得到一个主机名/ IP与证书的altnames不匹配错误。
When I access https://gmail.com in the browser I'm sent a 301 redirect to https://mail.google.com. When I try to do the same thing using node.js I get a "Hostname/IP doesn't match certificate's altnames" error.
这是有道理的,因为gmail.com提供给node.js的证书不包括gmail.com作为通用名称或alt-name。这是gmail.com提供的证书......
This makes sense since the certificate offered by gmail.com to node.js doesn't include "gmail.com" as ther common name nor as an alt-name. This is the certificate being presented by gmail.com...
{ subject:
{ C: 'US',
ST: 'California',
L: 'Mountain View',
O: 'Google Inc',
CN: 'mail.google.com' },
issuer: { C: 'US', O: 'Google Inc', CN: 'Google Internet Authority G2' },
subjectaltname: 'DNS:mail.google.com',
exponent: '10001',
valid_from: 'Feb 25 15:21:00 2014 GMT',
valid_to: 'May 26 00:00:00 2014 GMT'}
当我检查服务器应该出示的证书时,我看到 http://www.sslshopper.com/ssl-checker.html#hostname=gmail.com ,其中包含gmail.com扩展名。我认为这是浏览器收到的内容。
When I check the certificate that should be presented by the server I see http://www.sslshopper.com/ssl-checker.html#hostname=gmail.com which DOES include the gmail.com extension. I assume this is what the browser is recieving.
为什么节点会向浏览器发送不同的证书?
这可能与CNAME和DNS有关吗?
Why is node being sent a different certificate to the browser? Could this have anything to do with CNAMEs and DNS?
推荐答案
这可能是因为您的浏览器支持服务器名称指示(SNI)和Node.js(或者更确切地说,您正在使用的客户端模块)不。由于证书协商发生在HTTP开始之前,因此需要SNI才能从单个IP地址提供多个主机名。
This could be because your browser supports Server Name Indication (SNI) and Node.js (or rather, the client module you're using) does not. Since certificate negotiation happens before HTTP can begin, SNI is needed in order to serve more than one hostname from a single IP address.
这篇关于向node.js提供的不同证书与浏览器相对应的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
