subjectAltName on server certs not used for domain verification

VERIFIED DUPLICATE of bug 103752

Status

--
critical
VERIFIED DUPLICATE of bug 103752
17 years ago
2 years ago

People

(Reporter: martin.schaller, Assigned: ssaux)

Tracking

1.0 Branch

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.4.5-xfs i686)
BuildID:    2002041711

When opening a secure connection to a server with one or multiple subjectAltName
of type dNSName, Mozilla claims a Domain Name Mismatch (because of using only
the Common Name)

Reproducible: Always
Steps to Reproduce:
Contact me by mail for a Test-URL (martin.schaller@gmx.de)

Actual Results:  A "Security Error: Domain Name Mismatch" window pops up		

Expected Results:  No security error

From RFC2818:
3.  Endpoint Identification
3.1.  Server Identity
[...]
If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

[...]
If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.)
To PSM.  This creates a false perception about the server's cert and makes a
user think a server is insecure when it is in fact secure.
Assignee: mstoltz → ssaux
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Security: General → Client Library
Ever confirmed: true
Keywords: nsbeta1
OS: Linux → All
Product: Browser → PSM
QA Contact: bsharma → junruh
Hardware: PC → All
Version: other → 2.0
(Assignee)

Comment 2

17 years ago
Should we reassign this to NSS or is it PSM responsibility to check the subject
alt name?
IINM, PSM uses an NSS function for this purpose.  The NSS function needs to 
be enhanced.  I believe there is already a bug against NSS for this.  I'll look 
for it.
This bug appears to be a duplicate of 
http://bugzilla.mozilla.org/show_bug.cgi?id=103752


*** This bug has been marked as a duplicate of 103752 ***
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE

Comment 5

17 years ago
Verified dupe.
Status: RESOLVED → VERIFIED

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

10 years ago
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.