Jakob Bohm

Bug: When using ignoreMismatch=on, a NoTrust error is displayed

Discussion created by Jakob Bohm on Aug 7, 2014
Latest reply on Aug 8, 2014 by Ivan Ristić

When testing a "farm" of load balanced servers, I point the ssllabs.com test to each individual server by using non-public DNS names of the individual servers.  Those names obviously mismatch the name(s) in the certificate, so I use the ignoreMismatch=on test parameter (or the equivalent click on the warning page).

 

However, even when told to ignore the certificate mismatch, the ssllabs checker incorrectly reports that "This server's certificate is not trusted, see below for details." and points to a long list of possible reasons where the name mismatch is listed as a sub-possibility in an obfuscated phrasing (it says hostname, when the rest of the result page uses the word name).  This misleadingly indicates that there is an additional certificate problem other than the name mismatch, when in fact there isn't (as can be seen by successfully testing the load balanced name which matches the certificate but doesn't let me choose which server to test).

 

I respectfully suggest that an explicitly ignored name mismatch should not impact the "certificate trust" rating, which should be calculated according to all other criteria than the already ignored name mismatch.  This will also help users test a not-yet-online server before pointing the certified DNS name to it.

 

Since I am aware of the issue, I can obviously work around it myself, but I still consider it a bug.

Outcomes