Closed Bug 1481379 Opened 6 years ago Closed 6 years ago

Subject (hostname) not recognized if certificate has subject alternate name (IP address)

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
52 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: u20230201, Unassigned)

Details

Attachments

(2 files)

Error Message shown for "wrong" certificate
33.06 KB, image/png
Details
Certificate details
38.30 KB, image/png
Details 
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Build ID: 20180621121604

Steps to reproduce:

I had a server's certificate replaced with a new one that does not only contain the FQHN, but also its IP address as subject alternate name. Connecting with HTTPS using Firefox 52.9.0 (ESR).


Actual results:

Firefox flags the certificate as invalid for HTTPS, stating the certificate is only valid for the IP address found in the subject alternate name.
When connecting via IP address, the certificate is accepted.


Expected results:

The certificate should be accepted (as Microsoft IE does).
Hi Ulrich, 

Thanks for reporting this bug. Going to set this as a Firefox Security issue.
Component: Untriaged → Security
This is was an intentional behavior, as described and implemented in bug 1245280.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
(In reply to Alex Gaynor [:Alex_Gaynor] from comment #2)
> This is was an intentional behavior, as described and implemented in bug
> 1245280.

It may be intentional, but it still sounds wrong to me.
I hope you must admit that the user will _not_ see what the problem is (if there is a problem at all).
The authoritative document here is the baseline requirements. Section 7.1.4.2.2.a states of the subject common name field: "If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension". That is, it cannot contain a value that is not present in the subject alternative name extension. See https://cabforum.org/baseline-requirements-documents/
Attached image Certificate details 
From the certificate details view everything looks just fine. So if you still think that Firefox does the correct thing, so please make the related information appear the way Firefox sees it. That will reduce the confusion on the user's side.
Summary: Subject not recognized if certificate has subject alternate name → Subject (hostname) not recognized if certificate has subject alternate name (IP address)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: