Closed
Bug 138792
Opened 22 years ago
Closed 22 years ago
subjectAltName on server certs not used for domain verification
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 103752
People
(Reporter: martin.schaller, Assigned: ssaux)
Details
From Bugzilla Helper: User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.4.5-xfs i686) BuildID: 2002041711 When opening a secure connection to a server with one or multiple subjectAltName of type dNSName, Mozilla claims a Domain Name Mismatch (because of using only the Common Name) Reproducible: Always Steps to Reproduce: Contact me by mail for a Test-URL (martin.schaller@gmx.de) Actual Results: A "Security Error: Domain Name Mismatch" window pops up Expected Results: No security error From RFC2818: 3. Endpoint Identification 3.1. Server Identity [...] If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. [...] If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)
Comment 1•22 years ago
|
||
To PSM. This creates a false perception about the server's cert and makes a user think a server is insecure when it is in fact secure.
Assignee: mstoltz → ssaux
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Security: General → Client Library
Ever confirmed: true
Keywords: nsbeta1
OS: Linux → All
Product: Browser → PSM
QA Contact: bsharma → junruh
Hardware: PC → All
Version: other → 2.0
Assignee | ||
Comment 2•22 years ago
|
||
Should we reassign this to NSS or is it PSM responsibility to check the subject alt name?
Comment 3•22 years ago
|
||
IINM, PSM uses an NSS function for this purpose. The NSS function needs to be enhanced. I believe there is already a bug against NSS for this. I'll look for it.
Comment 4•22 years ago
|
||
This bug appears to be a duplicate of http://bugzilla.mozilla.org/show_bug.cgi?id=103752 *** This bug has been marked as a duplicate of 103752 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•