From Bugzilla Helper: User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.4.5-xfs i686) BuildID: 2002041711 When opening a secure connection to a server with one or multiple subjectAltName of type dNSName, Mozilla claims a Domain Name Mismatch (because of using only the Common Name) Reproducible: Always Steps to Reproduce: Contact me by mail for a Test-URL (firstname.lastname@example.org) Actual Results: A "Security Error: Domain Name Mismatch" window pops up Expected Results: No security error From RFC2818: 3. Endpoint Identification 3.1. Server Identity [...] If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. [...] If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.)
To PSM. This creates a false perception about the server's cert and makes a user think a server is insecure when it is in fact secure.
Assignee: mstoltz → ssaux
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Security: General → Client Library
Ever confirmed: true
OS: Linux → All
Product: Browser → PSM
QA Contact: bsharma → junruh
Hardware: PC → All
Version: other → 2.0
Should we reassign this to NSS or is it PSM responsibility to check the subject alt name?
IINM, PSM uses an NSS function for this purpose. The NSS function needs to be enhanced. I believe there is already a bug against NSS for this. I'll look for it.
This bug appears to be a duplicate of http://bugzilla.mozilla.org/show_bug.cgi?id=103752 *** This bug has been marked as a duplicate of 103752 ***
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.