Closed Bug 1112472 Opened 10 years ago Closed 9 years ago

Firefox can't handle multi domain ssl cert

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
34 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ffchung2002, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141125180439

Steps to reproduce:

As the ssl cert have support 2 domain, 
  1. trade.iex.hk
  2. www.isurewin.com

it normal if go to trade.iex.hk,
but it go wrong if go to www.isurewin.com

Fail Case : https://www.isurewin.com/duration_dev/web/cs_reserve.jsp?lang=tchi


Actual results:

This Connection is Untrusted

You have asked Firefox to connect securely to www.isurewin.com, but we can't confirm that your connection is secure.


Expected results:

Normal it will just go to the site with ssl.
Additional Information on the Actual results : 

This Connection is Untrusted

You have asked Firefox to connect securely to www.isurewin.com, but we can't confirm that your connection is secure.

Technical Details

www.isurewin.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
Component: Untriaged → Security
It looks like that server isn't sending any intermediate certificates. As far as I can tell, it needs to include the DigiCert SHA2 High Assurance Server CA. Otherwise, Firefox can't find a path to a trusted root.
I am not sure about that, but it worked on other browser like chrome and ie.

Also same cert work on trade.iex.hk but not www.isurewin.com on Firefox.
(In reply to ffchung2002 from comment #3)
> I am not sure about that, but it worked on other browser like chrome and ie.

Probably because the intermediate certs are already installed there. It works on my Firefox profile because it has the intermediate certs, too. The server should still be providing them. See e.g. :

https://www.sslshopper.com/ssl-checker.html#hostname=www.isurewin.com/duration_dev/web/cs_reserve.jsp?lang=tchi


> Also same cert work on trade.iex.hk but not www.isurewin.com on Firefox.

https://www.sslshopper.com/ssl-checker.html#hostname=trade.iex.hk

shows that in this case, the server provides the right chain of certs (DigiCert High Assurance CA-3 and DigiCert High Assurance EV Root CA). This is a server configuration problem, not a Firefox bug.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.