Open Bug 1328109 Opened 8 years ago Updated 3 months ago

provide more explanation when a certificate is missing a subject alternative name extension

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
50 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: mozilla, Unassigned)

Details

(Whiteboard: [psm-backlog])

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161130211651 Steps to reproduce: When Firefox rejects a cert. because of a missing subjectAltName, it displays the wrong error code name. On desktop Firefox, it displays SSL_ERROR_BAD_CERT_DOMAIN On Firefox for Android, it displays SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE Context: Self-signed root cert and subsequent single-domain child certs, both with CN but without SAN, installed to system trust under Linux. Change that it seems created the error condition: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280 This needs to show some useful error info, a la "subjectAltName missing", or at the very least not show very misleading or outright false error code strings.
After dealing with the (actual) error on the web server side (missing SAN), desktop Firefox doesn't throw any error any more (as expected). However, FF for Android still shows SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE. The issuer cert. was manually added to the Android cert. store and isn't expired (it's the same as being seen by desktop Firefox of course).
Component: Untriaged → Security: PSM
Product: Firefox → Core
Firefox for Android doesn't use the Android certificate store, so it might not know of the existence of that certificate. What intermediates does the server actually send?
Flags: needinfo?(mozilla)
Ugh, right, forgot about that, my bad, was in fact an expired version of the CA cert installed on the device in the case of Android, i.e. exactly what FF was trying to tell me haha. Is there any cert management UI on FF Android btw? Is the intermediates question still relevant for the original bug?
Flags: needinfo?(mozilla)
Unfortunately, there isn't any built-in certificate management UI in Firefox for Android. There might be some add-ons that could help, though. The intermediates question was just me trying to get some more information to diagnose the issue, but it sounds like everything is working accurately, if not very clearly. Note that eventually I'm hoping we will implement something like bug 1265113 for Android so that this should "just work" in the future.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
Undoing the "resolved" change. This bug is about the wrong error message - please see the original description. The Android-specific part can be ignored - the different message there was from my error.
Status: RESOLVED → UNCONFIRMED
Resolution: WORKSFORME → ---
Oh, I misunderstood - sorry.
Priority: -- → P5
Summary: Wrong error message on rejection of cert with no subjectAltName → provide more explanation when a certificate is missing a subject alternative name extension
Whiteboard: [psm-backlog]
No problem. The new bug title is less accurate than the previous one - the current message is incorrect, not just lacking explanation.
What message are you currently seeing?
The error message shown when there was no subjectAltName was: domain.com uses an invalid security certificate. The certificate is not valid for the name domain.com. Error code: SSL_ERROR_BAD_CERT_DOMAIN
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.