Closed Bug 1493945 Opened 3 years ago Closed 3 years ago

Incorrect SSL_ERROR_BAD_CERT_DOMAIN error with SAN certificate

Categories

(Core :: Security: PSM, defect)

62 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1196364

People

(Reporter: lratnayake, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180830143136

Steps to reproduce:

Create a certificate with the following X509v3 Subject Alternative Name extension:
IP Address:172.28.242.25, DNS:172.28.242.25, DNS:gsec.ott7gvm1.genband.com, DNS:gsec4.

Access the website with the URL  https://gsec.ott7gvm1.genband.com:2443.

See also https://support.mozilla.org/en-US/questions/1233865



Actual results:

The following error message was displayed, which is incorrect.

gsec.ott7gvm1.genband.com:2443 uses an invalid security certificate. The certificate is only valid for the following names: 172.28.242.25, 172.28.242.25, gsec.ott7gvm1.genband.com, gsec4 Error code: SSL_ERROR_BAD_CERT_DOMAIN


Expected results:

The URL  https://gsec.ott7gvm1.genband.com:2443 should have been accepted without such error.

Note that if the X509v3 Subject Alternative Name is created with the following order, this issue does not happen. The parsing logic seems to be sensitive to the order of the SAN entries.

DNS:gsec.ott7gvm1.genband.com, DNS:gsec5, IP Address:172.28.242.25, DNS:172.28.242.25
Component: Untriaged → Security: PSM
Product: Firefox → Core
Bug 1196364 would probably address this.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1196364

I don't think this is related to Bug 1196364, which seems to be regarding wildcard entries in the Subject Alternative Name extension of an X.509v3 certificate, where this bug is related to erroneously having IP addresses as DNS Names options within the Subject Alternative Name extension of an X.509v3 certificate.

That is, despite matching a DNSName option Firefox will reject the certificate with "SSL_ERROR_BAD_CERT_DOMAIN" if it encounters an IP address-listed-as-DNSName option first in the ordered set of options within the Subject Alternative Name extension.

You need to log in before you can comment on or make changes to this bug.