Search code examples
sslbrowserhttpsx509certificate

Why can a https website with a mismatching certificate domain name be marked as 'secure' by browser?

I have basic knowledge of SSL and can configure web site https certificate.
I used to believe

A 'secure' https website much have a matching(at least a wildcard matching) certificate domain name

until today.

Take google.com as example:

  • By Chrome certificate viewer:

enter image description here

  • By openssl
openssl s_client -connect google.com

Got same result:

... depth=0 CN = *.google.com ...

This is just woking as expected for me.

But I just found(which was mistake when expecting cn.bing.com actually) a website bing.cn,

  • By Chrome certificate viewer:

enter image description here

  • By openssl
openssl s_client -connect bing.cn

Got different result:

... depth=0 CN = *.wordpress.com ...

And this is beyond my knowledge. Could you explain

  1. Why can the domain name be different with certificate but still is secure?
  2. Why does gui version(tls.automattic.com) and command version(*.wordpress.com) show different certificate domains?
Solution

  • Subject field is obsoleted by all modern browsers and they look for authorized names in Subject Alternative Name certificate extension:

    enter image description here

    and bing.cn is authorized by this certificate. In fact, this certificate is allowed to represent any name listed in this extension.