Closed Bug 1483626 Opened Last year Closed 8 months ago
Variable may be blank on the new certificate error strings
1002 bytes, application/x-x509-ca-cert
Bug 1483626 - Checks if subjectAltNames has elements that are not empty string, and if it has them, they will be remove, preventing incomplete messages to show to the user. r=johannh
47 bytes, text/x-phabricator-request
|Details | Review|
Steps to reproduce: 1. Visit the https://www.txrjy.com/. 2. Click the Advanced or Continue button. Actual results: www.txrjy.com uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for . Error code: SEC_ERROR_UNKNOWN_ISSUER (certErrorMismatchSinglePrefix) Expected results: ... "The certificate is only valid for www.notexist.com." Regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=52c14d32d9812951c12d92b2594056fc15c5de80&tochange=617a25dfb30dcf0d64014ca92c987aa5bd3f6a4c
Component: Security: PSM → Security
Product: Core → Firefox
Hey, I was working on this and noticed that input.data.certSubjectAltNames and subjectAltNames are blank (shouldn't be), which is why this error is occurring. Does this mean something's wrong with the native code not providing correct data?
nsIX509Cert.subjectAltNames will be an empty string if the server's certificate doesn't have the subject alternative name extension present. It also doesn't do much validation of the entries in the certificate's subject alternative name extension if it is present. For example, if there were a dNSName entry that was just spaces or maybe even the empty string, that would show up as spaces or an empty string. I would treat that field as essentially untrusted. Here's the backing code if it's helpful: https://searchfox.org/mozilla-central/rev/ce57be88b8aa2ad03ace1b9684cd6c361be5109f/security/manager/ssl/nsNSSCertificate.cpp#646 (this is what runs when the front-end accesses .subjectAltNames) https://searchfox.org/mozilla-central/rev/ce57be88b8aa2ad03ace1b9684cd6c361be5109f/security/manager/ssl/nsNSSCertificate.cpp#572 (this is called when an nsIX509Cert is initialized)
Soo there is a case where the subjectAltName is just blank, that makes sense. Sounds to me like we should have a new string that leaves out the "The certificate is only valid for ..." part, like we had before bug 1415279. That should probably trigger if the alt name is null or an empty string after calling .trim(). Trisha, does that help you?
Thanks a lot for your information. That really helps!
Updating tracking flags as we get closer to the 64 release.
Duplicate of this bug: 1520973
Assignee: nobody → carolina.jimenez.g
Status: NEW → ASSIGNED
Depends on: 1535666
You need to log in before you can comment on or make changes to this bug.