Closed Bug 201429 Opened 21 years ago Closed 21 years ago

Incorrect certificate used when accessing multiple servers with self signed certificates

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 93091

People

(Reporter: jsissom, Assigned: darin.moz)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

This bug is hard to explain, but here's how to repeat it.  The web addresses
below are development web servers that we use.  They may or may not be up when
you try it.  Both servers are Apache 1.2.27 with mod_ssl with self signed
certificates.  I assume that any two web servers with self signed certificates
would work, but I've only tried these two.

1. Start the browser.
2. Access the first server https://stones.uits.indiana.edu/
3. Accept this self signed certificate for this session
4.  Access the second server https://toybox.uits.indiana.edu:9443/

You'll see that it complains that the certificate for stones.uits.indiana.edu
doesn't match the host name of toybox.uits.indiana.edu.  It is comparing the
certificate from the first server with the second server.  This is the bug.


Reproducible: Always

Steps to Reproduce:
1. Start the browser.
2. Access the first server https://stones.uits.indiana.edu/
3. Accept this self signed certificate for this session
4.  Access the second server https://toybox.uits.indiana.edu:9443/

You'll see that it complains that the certificate for stones.uits.indiana.edu
doesn't match the host name of toybox.uits.indiana.edu.  It is comparing the
certificate from the first server with the second server.  This is the bug.

Actual Results:  
You cannot access the 2nd server because of the "certificate mismatch".  If you
try to access this second server in the same session, you'll get the error message:

Could not establish an encrypted connection because certificate presented by
toybox.uits.indiana.edu is invalid or corrupted.  Error Code: -8182



Expected Results:  
After step 4, Mozilla should have given the dialog box asking about the self
signed certificate for toybox.uits.indiana.edu.  It should have allowed you to
accept it for this session, all sessions or not accept it.  It should not
compare the certificate information from the last server with this one.
The same thing happens with Mozilla 1.1, except the error message that appears when
trying to access the 2nd web site a 2nd time says:

"stones.uits.indiana.edu received a message with incorrect Message
Authentication Code. If the error occurs frequently, contact the website
administrator."

I tried accessing the two web sites in different orders and I get the same
invalid result either way.


The problem seems to be the duplicate serial numbers.  See the duped bug

*** This bug has been marked as a duplicate of 93091 ***
URL: See below
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Component: Networking → Client Library
Product: Browser → PSM
QA Contact: benc → ckritzer
Resolution: --- → DUPLICATE
Version: Trunk → unspecified
Just for reference, from RFC 3280:

4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.
Severity: blocker → critical
Verified dupe.
Status: RESOLVED → VERIFIED
QA Contact: ckritzer → bmartin
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.