1323710 - roedovre-skole.m.skoleintra.dk serving an invalid cert when client uses TLS 1.3

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[Henrik Gemal]

when I visit https://roedovre-skole.m.skoleintra.dk/Account/IdpLogin using latest nightly I get a "Your connection is not secure"

I dont get this error in Edge or Chrome

I also tried with a clean Firefox profile and still same error

Is it Firefox that has a problem or ?

Comment 1

[:Cykesiopka]

It looks like Firefox is being served a different cert than other browsers.

For example, when I visit https://roedovre-skole.m.skoleintra.dk/Account/IdpLogin on IE11, I receive this cert:
> Issuer CN = COMODO RSA Domain Validation Secure Server CA
> Subject CN = *.m.skoleintra.dk
> SAN DNS Name = *.m.skoleintra.dk
> SAN DNS Name = m.skoleintra.dk
... which is perfectly valid for roedovre-skole.m.skoleintra.dk.

On Firefox, I get this cert instead:
> Issuer CN = COMODO ECC Domain Validation Secure Server CA 2
> Subject CN = ssl386617.cloudflaressl.com
> SAN DNS Name = ssl386617.cloudflaressl.com
> SAN DNS Name = *.skoleintra.dk
> SAN DNS Name = skoleintra.dk
... which isn't valid for roedovre-skole.m.skoleintra.dk.

So, AFAICT Firefox is correctly rejecting the cert.
I'm inclined to mark this bug as invalid, or maybe morph this bug to a Tech Evangelism one or something.

Comment 2

[Daniel Veditz [:dveditz]]

I can reproduce on Mac, too: Chrome and Safari get a valid cert and Firefox does not (details matching comment 1).

The site works if I set security.tls.version.max to 3 instead of 4 (TLS 1.2 vs experimental TLS 1.3 support in nightly and aurora). Is this a cloudflare problem that might be more wide-spread? Or just a one-off mistake?

Comment 3

[Eric Rescorla (:ekr)]

I can reproduce with Canary when I turn on TLS 1.3 as well, so this is a problem in Cloudflare's servers.

Comment 4

[Eric Rescorla (:ekr)]

This is a configuration error on the server side and is being fixed now.