Closed
Bug 138792
Opened 23 years ago
Closed 23 years ago
subjectAltName on server certs not used for domain verification
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 103752
People
(Reporter: martin.schaller, Assigned: ssaux)
Details
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.4.5-xfs i686)
BuildID: 2002041711
When opening a secure connection to a server with one or multiple subjectAltName
of type dNSName, Mozilla claims a Domain Name Mismatch (because of using only
the Common Name)
Reproducible: Always
Steps to Reproduce:
Contact me by mail for a Test-URL (martin.schaller@gmx.de)
Actual Results: A "Security Error: Domain Name Mismatch" window pops up
Expected Results: No security error
From RFC2818:
3. Endpoint Identification
3.1. Server Identity
[...]
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
[...]
If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.)
Comment 1•23 years ago
|
||
To PSM. This creates a false perception about the server's cert and makes a
user think a server is insecure when it is in fact secure.
Assignee: mstoltz → ssaux
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Security: General → Client Library
Ever confirmed: true
Keywords: nsbeta1
OS: Linux → All
Product: Browser → PSM
QA Contact: bsharma → junruh
Hardware: PC → All
Version: other → 2.0
Assignee | ||
Comment 2•23 years ago
|
||
Should we reassign this to NSS or is it PSM responsibility to check the subject
alt name?
Comment 3•23 years ago
|
||
IINM, PSM uses an NSS function for this purpose. The NSS function needs to
be enhanced. I believe there is already a bug against NSS for this. I'll look
for it.
Comment 4•23 years ago
|
||
This bug appears to be a duplicate of
http://bugzilla.mozilla.org/show_bug.cgi?id=103752
*** This bug has been marked as a duplicate of 103752 ***
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•