Server Features » TLS Certificate » Hostname mismatch » Nefarious
TLS certificate status: Hostname mismatch
Percentage of SSL/TLS servers with certificate status Hostname mismatch. Showing percentages for Nefarious servers only.About this test result: While connecting to server X we were offered a certificate of server Y. This will generate a certificate warning on the IRC client.
Note that some servers don't offer a valid certificate for their server name in which case we try to match it against the round robin name. We do this by resolving the certificate CN and any SAN's back to IP addresses to see if it matches the server. For wildcard DNS we do the same with some heuristics like irc.domain.tld. This test is not perfect in case of geotargetted DNS or wildcard certificates where irc.domain.tld is not in use. This test result may thus contain some false positives.
Note on statistics:
- There is a difference in the gathering of TLS servers between 2017-2019 and 2020-onwards, see SSL/TLS statistics on the data page.
- For certificate validation errors, OpenSSL (s_client) returns a single error only, so only 1 of the errors is picked even though one server cert could have multiple errors.
- However, from 2023 onwards "Expired" is detected even when there are other errors (eg. Unknown CA).
Table
Percentage of SSL/TLS servers with certificate status Hostname mismatch. Showing percentages for Nefarious servers only.Version | Sep 2017 | Dec 2018 | Dec 2019 | Dec 2020 | Dec 2021 | Dec 2022 | Dec 2023 |
---|---|---|---|---|---|---|---|
2.0 | 2% | 2% | 0% | 0% | 0% | 0% | 3% |