Closed
Bug 201429
Opened 21 years ago
Closed 21 years ago
Incorrect certificate used when accessing multiple servers with self signed certificates
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
People
(Reporter: jsissom, Assigned: darin.moz)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 This bug is hard to explain, but here's how to repeat it. The web addresses below are development web servers that we use. They may or may not be up when you try it. Both servers are Apache 1.2.27 with mod_ssl with self signed certificates. I assume that any two web servers with self signed certificates would work, but I've only tried these two. 1. Start the browser. 2. Access the first server https://stones.uits.indiana.edu/ 3. Accept this self signed certificate for this session 4. Access the second server https://toybox.uits.indiana.edu:9443/ You'll see that it complains that the certificate for stones.uits.indiana.edu doesn't match the host name of toybox.uits.indiana.edu. It is comparing the certificate from the first server with the second server. This is the bug. Reproducible: Always Steps to Reproduce: 1. Start the browser. 2. Access the first server https://stones.uits.indiana.edu/ 3. Accept this self signed certificate for this session 4. Access the second server https://toybox.uits.indiana.edu:9443/ You'll see that it complains that the certificate for stones.uits.indiana.edu doesn't match the host name of toybox.uits.indiana.edu. It is comparing the certificate from the first server with the second server. This is the bug. Actual Results: You cannot access the 2nd server because of the "certificate mismatch". If you try to access this second server in the same session, you'll get the error message: Could not establish an encrypted connection because certificate presented by toybox.uits.indiana.edu is invalid or corrupted. Error Code: -8182 Expected Results: After step 4, Mozilla should have given the dialog box asking about the self signed certificate for toybox.uits.indiana.edu. It should have allowed you to accept it for this session, all sessions or not accept it. It should not compare the certificate information from the last server with this one.
Reporter | ||
Comment 1•21 years ago
|
||
The same thing happens with Mozilla 1.1, except the error message that appears when trying to access the 2nd web site a 2nd time says: "stones.uits.indiana.edu received a message with incorrect Message Authentication Code. If the error occurs frequently, contact the website administrator." I tried accessing the two web sites in different orders and I get the same invalid result either way.
Comment 2•21 years ago
|
||
The problem seems to be the duplicate serial numbers. See the duped bug *** This bug has been marked as a duplicate of 93091 ***
URL: See below
Status: UNCONFIRMED → RESOLVED
Closed: 21 years ago
Component: Networking → Client Library
Product: Browser → PSM
QA Contact: benc → ckritzer
Resolution: --- → DUPLICATE
Version: Trunk → unspecified
Comment 3•21 years ago
|
||
Just for reference, from RFC 3280: 4.1.2.2 Serial number The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate). CAs MUST force the serialNumber to be a non-negative integer.
Severity: blocker → critical
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•