Firefox sometimes send requests to wrong server based on SSL SAN
Categories
(Core :: Networking, defect)
Tracking
()
People
(Reporter: maxence, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36
Steps to reproduce:
We have 2 domains :
- www.site.fr
- media.site.fr
corresponding DNS are :
www.site.fr IN A 1.1.1.1
www.site.fr IN A 2.2.2.2
media.site.fr IN A 1.1.1.1
media.site.fr IN A 2.2.2.2
media.site.fr IN A 3.3.3.3
Note that IP 3.3.3.3 is only used for media.site.fr, it has never been used for www.
We also share a Let's Encrypt certificate for both domains :
openssl x509 -in cert.pem -noout -text | grep -A 1 'X509v3 Subject Alternative Name'
X509v3 Subject Alternative Name:
DNS:www.site.fr, DNS:media.site.fr
(main certificate subject is site.fr).
Actual results:
sometimes, the media server behind 3.3.3.3 received requests to www. While analyzing we found that :
- it affects almost all version of Firefox (see under), Safari and Qwant
- it does not seem to affect Chromium / Chrome / IE
- it only happens from time to time
Some numbers :
- We got 25812 'failed' requests out of 3185798 requests, so it seems to happen only very sporadically
- Browser (from UA) are mostly firefox (based):
zgrep 3.3.3.3 varnishncsa.log.gz |grep 'GET http://www' | cut -d '"' -f 12 | awk '{ print $NF }'|sort |uniq -c
3 Firefox/23.0
1 Firefox/38.0
1 Firefox/44.0
11 Firefox/45.0
4 Firefox/47.0
3 Firefox/48.0
13 Firefox/50.0
50 Firefox/51.0
624 Firefox/52.0
46 Firefox/53.0
21 Firefox/54.0
12 Firefox/55.0
51 Firefox/56.0
40 Firefox/57.0
25 Firefox/58.0
37 Firefox/59.0
893 Firefox/60.0
104 Firefox/61.0
384 Firefox/62.0
203 Firefox/63.0
325 Firefox/64.0
22594 Firefox/65.0
67 Firefox/66.0
1 Lightning/6.2.5.3
7 NetType/WIFI
1 PTST/SpeedCurve/190307.140307
1 QwantBrowser/57.0
1 QwantBrowser/59.0.3
2 QwantBrowser/62.0.4
50 QwantBrowser/63.0.1
8 Safari
223 Safari/537.36
1 Safari/605.1.15
We suspected that, for some reason, Firefox use the Certificate SAN to decide, under some circumstance, that 3.3.3.3 is a valid host for www.site.fr, even if it does not appear in dns.
So we created another certificate only for media.site.fr and indeed, no more bad requests since.
Expected results:
Looks like firefox should not consider a server valid for a given domain only based on SSL SAN, and we should not receive requests for www.site.fr on 3.3.3.3
Also, all OS seems to be impacted :
$ zgrep 3.3.3.3 varnishncsa.log.gz |grep 'GET http://www' | cut -d '"' -f 12 | grep -o '.*rv'|sort |uniq -c
1 Mozilla/5.0 (Android 4.1.2; Tablet; rv
2 Mozilla/5.0 (Android 4.2.2; Mobile; rv
6 Mozilla/5.0 (Android 4.2.2; Tablet; rv
11 Mozilla/5.0 (Android 4.4.2; Mobile; rv
6 Mozilla/5.0 (Android 4.4.2; Tablet; rv
2 Mozilla/5.0 (Android 5.0.1; Mobile; rv
4 Mozilla/5.0 (Android 5.0.2; Mobile; rv
3 Mozilla/5.0 (Android 5.0.2; Tablet; rv
13 Mozilla/5.0 (Android 5.1.1; Mobile; rv
5 Mozilla/5.0 (Android 5.1.1; Tablet; rv
117 Mozilla/5.0 (Android 6.0.1; Mobile; rv
2 Mozilla/5.0 (Android 6.0.1; Tablet; rv
24 Mozilla/5.0 (Android 6.0; Mobile; rv
6 Mozilla/5.0 (Android 6.0; Tablet; rv
54 Mozilla/5.0 (Android 7.0; Mobile; rv
11 Mozilla/5.0 (Android 7.0; Tablet; rv
18 Mozilla/5.0 (Android 7.1.1; Mobile; rv
12 Mozilla/5.0 (Android 7.1.1; Tablet; rv
2 Mozilla/5.0 (Android 7.1.2; Mobile; rv
280 Mozilla/5.0 (Android 8.0.0; Mobile; rv
63 Mozilla/5.0 (Android 8.1.0; Mobile; rv
16 Mozilla/5.0 (Android 8.1.0; Tablet; rv
50 Mozilla/5.0 (Android 9; Mobile; rv
165 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv
358 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv
238 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv
253 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv
348 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv
1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv
95 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv
165 Mozilla/5.0 (Windows NT 10.0; rv
12091 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv
1036 Mozilla/5.0 (Windows NT 10.0; WOW64; rv
118 Mozilla/5.0 (Windows NT 5.1; rv
4 Mozilla/5.0 (Windows NT 5.1; WOW64; rv
9 Mozilla/5.0 (Windows NT 5.2; rv
38 Mozilla/5.0 (Windows NT 6.0; rv
16 Mozilla/5.0 (Windows NT 6.0; WOW64; rv
741 Mozilla/5.0 (Windows NT 6.1; rv
5647 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv
825 Mozilla/5.0 (Windows NT 6.1; WOW64; rv
63 Mozilla/5.0 (Windows NT 6.2; rv
140 Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv
24 Mozilla/5.0 (Windows NT 6.2; WOW64; rv
87 Mozilla/5.0 (Windows NT 6.3; rv
1453 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv
110 Mozilla/5.0 (Windows NT 6.3; WOW64; rv
20 Mozilla/5.0 (X11; Fedora; Linux x86_64; rv
302 Mozilla/5.0 (X11; Linux armv7l; rv
104 Mozilla/5.0 (X11; Linux x86_64; rv
36 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv
312 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv
1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 PTST/SpeedCurv
20 Qwant/2.5 (Android 4.4.2; Mobile; rv
3 QwantMobile/2.0 (Android 6.0.1; Mobile; rv
1 QwantMobile/2.0 (Android 7.0; Mobile; rv
1 QwantMobile/2.5 (Android 6.0.1; Mobile; rv
2 QwantMobile/2.5 (Android 6.0; Mobile; rv
4 QwantMobile/2.5 (Android 7.0; Mobile; rv
4 QwantMobile/2.5 (Android 7.1.1; Mobile; rv
13 QwantMobile/2.5 (Android 8.0.0; Mobile; rv
6 QwantMobile/2.5 (Android 8.1.0; Mobile; rv
Comment 2•6 years ago
|
||
I am attempting to confirm this bug, but the technical knowledge needed here is a bit above my own.
I do not understand the exact issue. The best way to go about this is to write a list of unambiguous steps to reproduce the problem with Actual and Expected results so I can reproduce and give it a corresponding component. Can you help?
Thank you or your contribution!
Hi,
here are the steps (this is the way we reproduced it).
-
get 3 servers, 1.1.1.1, 2.2.2.2, 3.3.3.3
-
Define 2 domains on DNS:
-
www.domain.tld IN A 1.1.1.1
-
www.domain.tld IN A 2.2.2.2
-
media.domain.tld IN A 1.1.1.1
-
media.domain.tld IN A 2.2.2.2
-
media.domain.tld IN A 3.3.3.3
- Get a (let's encrypt in our case) SSL certificate with 2 SAN:
- www.domain.tld
- media.domain.tld
- Configure a ssl vhost for:
- www.domain.tld on 1.1.1.1 and 2.2.2.2
- media.domain.tld on 1.1.1.1, 2.2.2.2 AND 3.3.3.3
with the certificate you created in 2) (So you use the same cert for the 2 vhosts).
- Have a page on www.domain.tld which loads files from both www and media domains (ie: css from www/ pictures from media in our case).
when reaching the page, from time to time, firefox will request www.domain.tld on 3.3.3.3
Updated•6 years ago
|
Comment 5•6 years ago
|
||
(In reply to u408661 from bug 1420777 comment #1)
Both servers share at least some DNS, and both servers assert (via tls) that
they are authoritative for both A.e.c and B.e.c. This is 100% allowed per
7540. The 421 http error code is the proper way to handle this situation if
you have overlapping dns and tls.
Also see:
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/
Description
•