Closed Bug 1200577 Opened 5 years ago Closed 4 years ago

mail.kdlan.de cert has SAN dNSName entries incorrectly containing IP addresses

Categories

(Web Compatibility :: Desktop, defect)

x86
Other
defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: andreasjunghw, Unassigned)

References

()

Details

Attachments

(1 file)

Attached image Certificate Error
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 20150826023504

Steps to reproduce:

Visiting https://mail.kdlan.de/ fails with the error ssl_error_bad_cert_domain.

The list of names that the certificate is valid for includes mail.kdlan.de, see screenshot.

This works fine with both Internet Explorer and Chrome, both accept the certificate without any problems.


Actual results:

The connection fails with a certificate error.


Expected results:

The connection succeeds without error.
https://www.ssllabs.com/ssltest/analyze.html?d=mail.kdlan.de
Summary: Unexpected bad_cert_domain certificate error → Unexpected bad_cert_domain certificate error on mail.kdlan.de
Confirmed to be true.

Common name: kdlan.de
SANs: kdlan.de, autodiscover.kappel-dierolf.de, kappel-dierolf.de, srv-exch13.kdlan.local, srv-print.kdlan.local, srv-co.kdlan.local, srv-exch.kdlan.local, autodiscover.kdlan.local, srv-dms.kdlan.local, IP Address:188.111.104.126, 188.111.104.126, IP Address:178.15.76.19, 178.15.76.19, mail.kdlan.de, autodiscover.kdlan.de

From different browser, this works fine.
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Unspecified → Other
Hardware: Unspecified → x86
Regression range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b915a50bc6be&tochange=0532f2509f3f

maybe bug 1073867
Component: Security → Security: PSM
Product: Firefox → Core
Version: 40 Branch → 37 Branch
Blocks: 1073867
The cert in question is a RSA cert. I'll post a comment describing the issue and possible solutions soon.
No longer blocks: 1073867
As noted in comment 2:

openssl x509 -text -inform PEM -in <server cert for https://mail.kdlan.de/ in PEM format>
> X509v3 Subject Alternative Name: 
>     [...]
>     IP Address:188.111.104.126,
       ^^^^^^^^^^^^^^^^^^^^^^^^^^ Entries like these are correct and fine.
>     DNS:188.111.104.126,
>     DNS:178.15.76.19,
       ^^^^^^^^^^^^^^^^^^^^ Entries like these are incorrectly encoded.

Firefox (or rather, mozilla::pkix, the certificate verification library we use) is complaining about the incorrectly encoded IP address in dNSName entries.
See Bug 1170303 comment 0 for why ssl_error_bad_cert_domain is being returned here.

Some possible solutions:
1. Remove the IP address entries entirely.
   - Of course, this might not be feasible.
2. Correctly encode the IP addresses as iPAddress entries instead of dNSName entries.
   - This may cause compat issues with older version of IE though.
3. Use the workaround from Bug 1148766 comment 52.
   - However, there is no guarantee that this will continue to work.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
See Also: → 1148766
Summary: Unexpected bad_cert_domain certificate error on mail.kdlan.de → mail.kdlan.de cert has SAN dNSName entries incorrectly containing IP addresses
Version: 37 Branch → unspecified
Fixed.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.