Closed Bug 1346318 Opened 8 years ago Closed 4 years ago

[meta] Some secure sites are blocked in Fx53 with error SSL_ERROR_BAD_CERT_DOMAIN

Categories

(Web Compatibility :: Site Reports, defect, P5)

Product:
Web Compatibility
Component:
Site Reports
Version:
Firefox 53
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INACTIVE

People

(Reporter: mwobensmith, Unassigned)

Details

(Keywords: meta)

I am filing this bug before tracking down the regression build (and/or cause), as it will be an evangelist issue in any case. The following sites don't load in Fx53.0b1, but do load in release build Fx52 (as well as latest release Chrome). They display the SSL error "SSL_ERROR_BAD_CERT_DOMAIN" and indicate that the cert doesn't match the particular subdomain. On Fx52, we get a successful connection to a server with a cert that includes the correct subdomain, which makes me think that this issue is caused by an underlying network change and not related to certificate validation. Going to file under Networking > PSM until we know better. https://apk-dl.coremobility.com https://atv.com.vsassets.com https://autoguide.com.vsassets.com https://cdn-images-express-co-uk.amp.cloudflare.com https://discovery.amp.cloudflare.com https://i-dailymail-co-uk.amp.cloudflare.com https://m-bild-de.amp.cloudflare.com https://motorcycle.com.vsassets.com https://petguide.com.vsassets.com https://s0-wp-com.amp.cloudflare.com https://static-standard-co-uk.amp.cloudflare.com https://supplier.intel.com https://variety-com.amp.cloudflare.com https://www-dailymail-co-uk.amp.cloudflare.com https://www-express-co-uk.amp.cloudflare.com https://www-getsurrey-co-uk.amp.cloudflare.com https://www-independent-co-uk.amp.cloudflare.com https://www-mirror-co-uk.amp.cloudflare.com https://www-thesun-co-uk.amp.cloudflare.com
Also, the reason that this surfaced now and not before is that I recently updated TLS Canary with a better list of top sites, which includes more subdomains of popular sites previously untested.
FWIW, this looks suspiciously like Bug 1323710. What happens if you cap to TLS 1.2 max?
(In reply to :Cykesiopka from comment #2) > FWIW, this looks suspiciously like Bug 1323710. > > What happens if you cap to TLS 1.2 max? Now it works! Thank you for that. Mystery solved. FWIW, first bad build is Nightly 53.0a1, 2016-11-17.
Component: Security: PSM → Desktop
Product: Core → Tech Evangelism
Version: 53 Branch → Firefox 53
From time to time I am getting SSL_ERROR_BAD_CERT_DOMAIN errors also. Where there are a few sights that cause the same error on Chrome and Microsoft Edge, there are many more that occur only on Firefox. The latest occurrence was https://netflix.com/. Firefox advanced error indicates the cert that is it getting is valid for only *.accuweather.com, accuweather.com. Neither Chrome or Edge had a problem loading the URL. These are the proper certs for with weather add-on I'm using and obviously not valid for netflix. From experience, this error will occur for several minutes and then everything will work again. This very much looks like a bug in Firefox's handling of certs. It appears that Firefox sometimes uses the wrong cert for the URL validation.
Priority: -- → P5
Summary: Some secure sites are blocked in Fx53 with error SSL_ERROR_BAD_CERT_DOMAIN → [meta] Some secure sites are blocked in Fx53 with error SSL_ERROR_BAD_CERT_DOMAIN
Product: Tech Evangelism → Web Compatibility
Keywords: meta
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INACTIVE
You need to log in before you can comment on or make changes to this bug.