Closed Bug 438322 Opened 16 years ago Closed 16 years ago

ff3 accepts wildcard cert for multiple domain components

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 159483

People

(Reporter: kajtzu, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.20
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) Gecko/2008053008 Firefox/3.0

When accessing a site using SSL and having a wildcard certificate FF will happily load the page even if there are multiple domain components being replaced by the wildcard.

RFC 2818 (HTTP over TLS) section 3.1 states:

"Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com."

Microsoft KB 258858 seems to kind of agree with me as well. ;-)

Reproducible: Always

Steps to Reproduce:
Accessing beta.ipv6.fortn.net (IPv6 only service, sorry) using SSL works fine using Firefox but not using Safari. Safari complains that the certificate does not match the hostname being accessed.

Actual Results:  
Works

Expected Results:  
IMHO FF should complain as well.
Netscape has always worked like that, and some sites depend on it (unfortunately).
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.