Closed Bug 138792 Opened 22 years ago Closed 22 years ago

subjectAltName on server certs not used for domain verification

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 103752

People

(Reporter: martin.schaller, Assigned: ssaux)

Details

From Bugzilla Helper:
User-Agent: Mozilla/4.77 [de] (X11; U; Linux 2.4.5-xfs i686)
BuildID:    2002041711

When opening a secure connection to a server with one or multiple subjectAltName
of type dNSName, Mozilla claims a Domain Name Mismatch (because of using only
the Common Name)

Reproducible: Always
Steps to Reproduce:
Contact me by mail for a Test-URL (martin.schaller@gmx.de)

Actual Results:  A "Security Error: Domain Name Mismatch" window pops up		

Expected Results:  No security error

From RFC2818:
3.  Endpoint Identification
3.1.  Server Identity
[...]
If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

[...]
If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.)
To PSM.  This creates a false perception about the server's cert and makes a
user think a server is insecure when it is in fact secure.
Assignee: mstoltz → ssaux
Severity: normal → critical
Status: UNCONFIRMED → NEW
Component: Security: General → Client Library
Ever confirmed: true
Keywords: nsbeta1
OS: Linux → All
Product: Browser → PSM
QA Contact: bsharma → junruh
Hardware: PC → All
Version: other → 2.0
Should we reassign this to NSS or is it PSM responsibility to check the subject
alt name?

IINM, PSM uses an NSS function for this purpose.  The NSS function needs to 
be enhanced.  I believe there is already a bug against NSS for this.  I'll look 
for it.
This bug appears to be a duplicate of 
http://bugzilla.mozilla.org/show_bug.cgi?id=103752


*** This bug has been marked as a duplicate of 103752 ***
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → DUPLICATE
Verified dupe.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.