Cyberduck Mountain Duck CLI

#7831 closed defect (fixed)

SNI support in the non-App Store version

Reported by: sergei Owned by: dkocher
Priority: normal Milestone: 4.4.4
Component: webdav Version: 4.4.3
Severity: normal Keywords:
Cc: Architecture: Intel
Platform: Mac OS X 10.9

Description (last modified by sergei)

Update:

The issue can be reproduced only on Mac OS X. My OS X Machine is on current patched Maverics 10.9.1. The terminal reports: java version "1.6.0_65" Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609) Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)

Windows release of cyberduck is not affected. I was able to verify it on 2 separate windows boxes.

The certificate is issued by private CA. However, testing on windows did not result in any warnings that certificate is not trusted (even on the machine that does not trust private root CA).

Original Description:

This issue is related to discussion in google group https://groups.google.com/forum/#!topic/cyberduck/to2dymHbxOo thread.

It appears that cyberduck does pass server name to the server when it establishes SSL connection.

To reproduce an issue go open attached bookmark file.

The following openssl command line demonstrates that sever is properly configured:

    openssl s_client -servername cyberduck.coobserver.com -connect cyberduck.coobserver.com:443

Certificate CN name is cyberduck.coobserver.com

If server name option is omitted then:

    openssl s_client -connect cyberduck.coobserver.com:443

then server sends certificate with CN=dav.lianajoykids.com

Cyberduck warns that certificate does not match server name. This means that cyberduck failed to send server name in SSL handshake.

The demo site is empty and configured to resolve just this issue.

Please send me email to sergeig at me dot com for password to access the website.

Attachments (1)

cyberduck.coobserver.com.duck (621 bytes) - added by sergei on Mar 3, 2014 at 5:08:19 AM.
Mac OS X bookmark file.

Download all attachments as: .zip

Change History (10)

Changed on Mar 3, 2014 at 5:08:19 AM by sergei

Mac OS X bookmark file.

comment:1 Changed on Mar 3, 2014 at 8:25:57 AM by dkocher

  • Component changed from core to webdav
  • Description modified (diff)
  • Milestone set to 4.4.4
  • Owner set to dkocher
  • Status changed from new to assigned

comment:2 follow-up: Changed on Mar 3, 2014 at 8:28:24 AM by dkocher

  • Resolution set to worksforme
  • Status changed from assigned to closed

I get the expected error message from the certificate trust panel that The certificate was signed by an unknown authority because the root certificate is not known.

comment:3 Changed on Mar 3, 2014 at 6:34:42 PM by sergei

It turns out this issue affects only Mac OS X. I just installed the same version of Cyberduck on windows and it works well against the same remote server.

comment:4 in reply to: ↑ 2 Changed on Mar 3, 2014 at 6:36:54 PM by sergei

Replying to dkocher:

I get the expected error message from the certificate trust panel that The certificate was signed by an unknown authority because the root certificate is not known.

Well, the certificate is signed with private CA. It is not valid to close the ticket based on unrelated issue.

comment:5 Changed on Mar 3, 2014 at 6:50:24 PM by sergei

  • Description modified (diff)
  • Resolution worksforme deleted
  • Status changed from closed to reopened

comment:6 follow-up: Changed on Mar 4, 2014 at 10:02:14 AM by dkocher

In my testing the certificate for cyberduck.coobserver.com is returned which indicates that we do send the hostname extension in the TLS handshake.

comment:7 in reply to: ↑ 6 Changed on Mar 4, 2014 at 10:05:32 AM by dkocher

  • Resolution set to fixed
  • Status changed from reopened to closed

Replying to dkocher:

In my testing the certificate for cyberduck.coobserver.com is returned which indicates that we do send the hostname extension in the TLS handshake.

This is with the latest snapshot build. I see that it fails with the 4.4.3 release version.

comment:8 in reply to: ↑ description Changed on Mar 4, 2014 at 10:06:07 AM by dkocher

Replying to sergei:

Update:

The issue can be reproduced only on Mac OS X. My OS X Machine is on current patched Maverics 10.9.1. The terminal reports: java version "1.6.0_65" Java(TM) SE Runtime Environment (build 1.6.0_65-b14-462-11M4609) Java HotSpot(TM) 64-Bit Server VM (build 20.65-b04-462, mixed mode)

We use a bundled runtime and do not use the installed Java version.

comment:9 Changed on Mar 5, 2014 at 4:29:44 PM by te-online

I can confirm this for the Windows client. For cyberduck.coobserver.com it seems to work fine although I don't know any credentials. But I get the wrong certificat for my own domain and my hoster told me it is because of SNI.

Note: See TracTickets for help on using tickets.
swiss made software