nsISSLStatusProvider.SSLStatus.serverCert should contain the list of subject alternative names

NEW
Unassigned

Status

()

Core
Security: PSM
P5
enhancement
3 years ago
2 years ago

People

(Reporter: April, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(firefox42 affected)

Details

(Whiteboard: [psm-backlog])

(Reporter)

Description

3 years ago
Alongside such attributes as organization, organizationUnit, serialNumber, sha256Fingerprint, subjectName, etc., it would be nice to have an array called subjectAltName that contains the list of all subjectAltName records.

> this.cert.subjectName
< "CN=*.wikipedia.org,O="Wikimedia Foundation, Inc.",L=San Francisco,ST=California,C=US"

> this.cert.subjectAltName
< Array [ "*.wikipedia.org", "*.mediawiki.org", "*.wikibooks.org", "*.wikidata.org" ...]

Right now, the only obvious way to get at this data is to grab the cert's ASN1Structure, send it to ASN1Tree.loadASN1Structure(), and then iterate through ASN1Tree.getDisplayData until you find the extension.
April, I forgot the context for this - is this more of a front-end-directed issue?
Flags: needinfo?(april)

Comment 2

2 years ago
I was the one originally running into this issue. I had a plugin and was trying to show the subjectAltName in a popup. We use a certificate on a proxy server that we connect to from the plugin, and I would like to inform my user for which domains the certificate is valid. Mainly to show simple errors like "You use 'xxx' to reach the proxy, but the certificate is only valid for '192.168.1.152, xxx.somedomain.com, yyy.otherdomain.com'". This way my end user can decide whether a different cert should be installed, or that he just needs to use the FQDN or IP instead.

We use the plugin mostly in internal networks where you can have a multitude of ways to reach the same server.
(Reporter)

Comment 3

2 years ago
:keeler -- yes, it's a frontend directed issue, mostly for people who are developing add-ons around the TLS state.
Flags: needinfo?(april)
Priority: -- → P5
Whiteboard: [psm-backlog]
You need to log in before you can comment on or make changes to this bug.