Firefox can't handle multi domain ssl cert

RESOLVED INVALID

Status

()

Firefox
Security
RESOLVED INVALID
3 years ago
3 years ago

People

(Reporter: ffchung2002, Unassigned)

Tracking

34 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141125180439

Steps to reproduce:

As the ssl cert have support 2 domain, 
  1. trade.iex.hk
  2. www.isurewin.com

it normal if go to trade.iex.hk,
but it go wrong if go to www.isurewin.com

Fail Case : https://www.isurewin.com/duration_dev/web/cs_reserve.jsp?lang=tchi


Actual results:

This Connection is Untrusted

You have asked Firefox to connect securely to www.isurewin.com, but we can't confirm that your connection is secure.


Expected results:

Normal it will just go to the site with ssl.
(Reporter)

Comment 1

3 years ago
Additional Information on the Actual results : 

This Connection is Untrusted

You have asked Firefox to connect securely to www.isurewin.com, but we can't confirm that your connection is secure.

Technical Details

www.isurewin.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)
(Reporter)

Updated

3 years ago
Component: Untriaged → Security
It looks like that server isn't sending any intermediate certificates. As far as I can tell, it needs to include the DigiCert SHA2 High Assurance Server CA. Otherwise, Firefox can't find a path to a trusted root.
(Reporter)

Comment 3

3 years ago
I am not sure about that, but it worked on other browser like chrome and ie.

Also same cert work on trade.iex.hk but not www.isurewin.com on Firefox.

Comment 4

3 years ago
(In reply to ffchung2002 from comment #3)
> I am not sure about that, but it worked on other browser like chrome and ie.

Probably because the intermediate certs are already installed there. It works on my Firefox profile because it has the intermediate certs, too. The server should still be providing them. See e.g. :

https://www.sslshopper.com/ssl-checker.html#hostname=www.isurewin.com/duration_dev/web/cs_reserve.jsp?lang=tchi


> Also same cert work on trade.iex.hk but not www.isurewin.com on Firefox.

https://www.sslshopper.com/ssl-checker.html#hostname=trade.iex.hk

shows that in this case, the server provides the right chain of certs (DigiCert High Assurance CA-3 and DigiCert High Assurance EV Root CA). This is a server configuration problem, not a Firefox bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.