Closed Bug 1625706 Opened 4 years ago Closed 4 years ago

Incorrect HTTPS error for wildcard certificate when subdomain ends in hyphen

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
74 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1184059

People

(Reporter: basta, Unassigned)

Details

This appears to be a duplicate of 1184059, but I'm unsure. The error here is misleading (the domain is not a mismatch). If this is a duplicate of 1184059, it would be worthwhile to fix the error to say what the problem is ("the domain is invalid per [spec]" rather than "the domain name doesn't match the certificate")

Steps to reproduce:

Visit https://inconstant-.pinecast.co/

Note that you receive an HTTPS error:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for inconstant-.pinecast.co. The certificate is only valid for the following names: pinecast.co, *.pinecast.co, sni.cloudflaressl.com
 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

This is incorrect, as the domain matches the wildcard *.pinecast.co. Additionally, other valid subdomains continue to work:

My suspicion is that the hyphen suffixing the subdomain is causing Firefox to incorrectly report the certificate as invalid.

I have tested and reproduced this issue on Firefox 73 and 74.

Dana is this dup of 1184059?

Component: Networking → Security: PSM
Flags: needinfo?(dkeeler)

Yes.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.