-
Notifications
You must be signed in to change notification settings - Fork 0
SSL Certificate with Wrong Hostname
Fabien edited this page May 22, 2024
·
1 revision
An SSL certificate with the wrong hostname indicates a mismatch between the domain name listed on the SSL certificate and the domain name that the certificate is being used for. This discrepancy can lead to browser warnings, erode trust, and potentially expose users to man-in-the-middle attacks.
- Severity: Medium
The consequences of using an SSL certificate with the wrong hostname include:
- Browser Warnings: Users may see security warnings, deterring them from accessing the site, which can negatively impact traffic and trust.
- Security Risks: Increases vulnerability to phishing attacks as users may become accustomed to ignoring security warnings.
- Compliance Issues: Non-compliance with security standards and regulations that mandate proper certificate usage.
This issue may arise from several scenarios:
- Configuration Errors: Incorrect details entered during the certificate request process.
- Migration Oversights: Not updating the SSL certificate after changing the domain name or server.
- Administrative Mistakes: Using a certificate intended for a different domain.
To resolve hostname mismatches and restore security assurances provided by SSL/TLS certificates:
- Verify Certificate and Domain Match:
- Use SSL verification tools to check that the domain name in the certificate matches the domain name of the site:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com | openssl x509 -noout -text | grep -A 1 "Subject Alternative Name"
- Use SSL verification tools to check that the domain name in the certificate matches the domain name of the site:
- Obtain a New Certificate:
- If discrepancies are found, request a new SSL certificate with the correct hostname from your certificate authority (CA).
- Consider obtaining a wildcard certificate if multiple subdomains require coverage.
- Update Server Configuration:
- Replace the old certificate with the new one on your server. For servers like Apache or Nginx, update the SSL certificate paths in the configuration files.
Updating Apache SSL Configuration:
Update your Apache configuration to reference the correct SSL certificate files:
<VirtualHost *:443>
ServerName yourdomain.com
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/CA_bundle.crt
</VirtualHost>Restart Apache to apply changes:
sudo systemctl restart apache2- Home - Return to this main page.
- Explore detailed vulnerability categories and entries via the sidebar.
- Microsoft Teams < 1.6.0.11166 Information Disclosure↗
- Microsoft Teams < 1.6.0.18681 RCE↗
- Microsoft Windows Unquoted Service Path Enumeration↗
- Microsoft XML Parser (MSXML) and XML Core Services Unsupported↗
- Security Updates for Microsoft .NET Framework↗
- Security Updates for Microsoft Office Products C2R↗
- Security Updates for Microsoft SQL Server↗
- Windows Defender Antimalware/Antivirus Signature Definition Check↗
- Windows Speculative Execution Configuration Check↗
- WinVerifyTrust Signature Validation CVE-2013-3900 Mitigation↗
- SSL Certificate Cannot Be Trusted↗
- SSL Certificate Chain Contains RSA Keys Less Than 2048 bits↗
- SSL Certificate with Wrong Hostname↗
- SSL Medium Strength Cipher Suites Supported (SWEET32)↗
- SSL Self-Signed Certificate↗
- SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam)↗
- TLS Version 1.0 Protocol Detection↗
- TLS Version 1.1 Protocol Deprecated↗
- Apache 2.4.x < 2.4.58 Multiple Vulnerabilities↗
- Apache Log4j Vulnerabilities↗
- Apache Solr Unauthenticated Access Information Disclosure↗
- Apache Struts Vulnerabilities↗
- Apache Tomcat Vulnerabilities↗
- Amazon Corretto Java 11.x < 11.0.19.7.1 Multiple Vulnerabilities↗
- OpenJDK Vulnerabilities↗
- Oracle Java SE Vulnerabilities↗
- 7-Zip < 23.00 Multiple Vulnerabilities↗
- Adobe Acrobat Vulnerabilities↗
- AMQP Cleartext Authentication↗
- Artifex Ghostscript < 10.2.1 DoS↗
- Chargen UDP Service Remote DoS↗
- Curl 7.84 <= 8.2.1 Header DoS (CVE-2023-38039)↗
- Echo Service Detection↗
- HSTS Missing From HTTPS Server (RFC 6797)↗
- HTTP TRACE / TRACK Methods Allowed↗
- Insecure Windows Service Permissions↗
- Keepass < 2.54 Information disclosure↗
- Notepad++ < 8.5.7 Multiple Buffer Overflow Vulnerabilities↗
- Quote of the Day (QOTD) Service Detection↗
- VMware Tools 10.3.x / 11.x / 12.x < 12.3.5 Token Bypass↗
- X Server Detection↗
- Template -> Use this template for new vulnerabilities