问题
When I access https://gmail.com in the browser I'm sent a 301 redirect to https://mail.google.com. When I try to do the same thing using node.js I get a "Hostname/IP doesn't match certificate's altnames" error.
This makes sense since the certificate offered by gmail.com to node.js doesn't include "gmail.com" as ther common name nor as an alt-name. This is the certificate being presented by gmail.com...
{ subject:
{ C: 'US',
ST: 'California',
L: 'Mountain View',
O: 'Google Inc',
CN: 'mail.google.com' },
issuer: { C: 'US', O: 'Google Inc', CN: 'Google Internet Authority G2' },
subjectaltname: 'DNS:mail.google.com',
exponent: '10001',
valid_from: 'Feb 25 15:21:00 2014 GMT',
valid_to: 'May 26 00:00:00 2014 GMT'}
When I check the certificate that should be presented by the server I see http://www.sslshopper.com/ssl-checker.html#hostname=gmail.com which DOES include the gmail.com extension. I assume this is what the browser is recieving.
Why is node being sent a different certificate to the browser? Could this have anything to do with CNAMEs and DNS?
回答1:
This could be because your browser supports Server Name Indication (SNI) and Node.js (or rather, the client module you're using) does not. Since certificate negotiation happens before HTTP can begin, SNI is needed in order to serve more than one hostname from a single IP address.
来源:https://stackoverflow.com/questions/22242736/different-certificate-being-presented-to-node-js-vs-the-browser