Closed Bug 1281475 Opened 9 years ago Closed 9 years ago

Same Subdomain (app.) for different domains (first.com and second.de) seems to erroneously validate certificate

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
45 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: joh.schwartz, Unassigned, NeedInfo)

Details

Attachments

(1 file)

screenshot of certificate with url
211.27 KB, image/png
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Steps to reproduce: Created a valid Certificate with letsencrypt for app.first.com. Pointed dns record of domain app.second.de to the same server, delivering the same certificate (app.first.com). Actual results: The certificate was validated for the wrong domain, even though the certificate was the wrong one. Expected results: Certificate should have been rejected; Warning that Connection is insecure should have been displayed. (Other Browsers did so)
Which version of Firefox? Can you attach the public information of the certificates and/or provide a test URL where this problem happens?
Group: firefox-core-security → core-security
Component: Untriaged → Security: PSM
Flags: needinfo?(joh.schwartz)
Product: Firefox → Core
Firefox Version: 45.2.0 (on debian 8) Also tested on windows 7. Invalid (but "green") certificate. https://app.bpm.de/ unfortunately, I have to change the certificate to a proper one in the next two hours.
(In reply to joh.schwartz from comment #2) > Firefox Version: 45.2.0 > (on debian 8) > > Also tested on windows 7. > > Invalid (but "green") certificate. > https://app.bpm.de/ > > unfortunately, I have to change the certificate to a proper one in the next > two hours. When I connect here, I see: app.bpm.de uses an invalid security certificate. The certificate is only valid for the following names: quadriga-circle.com, www.quadriga-circle.com Error code: SSL_ERROR_BAD_CERT_DOMAIN and a normal error page. Tested with 48 beta on OS X as well as 45.0.1 on Windows 8. Did you at any point add an exception for this cert, or did you use to have a different cert for the app.bpm.de site? When you use the icon to the left of the location bar to view certificate information, does it show the quadriga-circle.com certificate or a different one?
Added screenshot of certificate and Browser.
I(In reply to :Gijs Kruitbosch from comment #3) > Did you at any point add an exception for this cert, or did you use to have > a different cert for the app.bpm.de site? The domain app.bpm.de is brandnew, I never used a different certificate for it. > When you use the icon to the left > of the location bar to view certificate information, does it show the > quadriga-circle.com certificate or a different one? Green and quadriga-circle.com, as you can in the screenshot.
Tim/:keeler, any ideas?
Flags: needinfo?(ttaubert)
Flags: needinfo?(dkeeler)
Does this happen on Nightly? Also, what add-ons do you have installed?
Flags: needinfo?(dkeeler)
Group: core-security → crypto-core-security
I have to change the certificate on app.bpm.de. I will try to reproduce the behaviour over the weekend. Thank you for the help.
Will have to close this incomplete soon if we can't reproduce.
Flags: needinfo?(ttaubert)
Please mail security@mozilla.org to reopen this bug if there's more information about the cert and traffic you can give us. At this point we cannot reproduce this behavior
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Group: crypto-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: