Why openssl s_client and gnutls-cli deliver different certificates (own server)

on my server i have multiple virtual hosts with apache2. Some with domain *.example-one.org and some whith *.example-two.org. Each domain has it’s own wildcard certificate.

When I fetch the certificate via openssl s_client the output is something like that:

$ openssl s_client -connect sub.example-one.org:443
[...] CN = *.example-two.org, emailAddress [...]
verify error:num=18:self signed certificate
verify return:1
[...] CN = *.example-two.org, emailAddress [...]
verify return:1
    Verify return code: 18 (self signed certificate)

And with gnutls-cli

$ gnutls-cli -p 443 sub.example-one.org
Processed 164 CA certificate(s).
Resolving 'sub.example-one.org'...
Connecting to '14x.xxx.xxx.xxx:443'...
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
 - subject `[...]CN=*.example-one.org[...]', RSA key 2048 bits, signed using RSA-SHA1, activated `2013-07-11 12:30:31 UTC', expires `2015-07-11 12:30:31 UTC', SHA-1 fingerprint `94ddfd0d74e0352521af511c1d08c71e5314fae4'
- Status: The certificate is NOT trusted. The certificate issuer is unknown. 
*** Verifying server certificate failed...
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.

(I’ve shorted the output by “[…]”)

Firefox fetches (as gnutls) the correct certificate…

Why are there differences?


If you use multiple certificates behind the same IP address you have to use SNI (server name indication). While browsers do this by default and gnutls maybe too, the s_client does not and you have to use openssl s_client -servername sub.example.org -connect ...

Source : Link , Question Author : Nepomuk Frädrich , Answer Author : shastry

Leave a Comment