Closed Bug 1691122 Opened 5 years ago Closed 3 years ago

remove subject common name fallback support in CertVerifier

Categories

(Core :: Security: PSM, task, P2)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
101 Branch
Tracking Flags:
Tracking Status
relnote-firefox --- 101+
firefox101 --- fixed

People

(Reporter: keeler, Assigned: jschanck)

References

Details

(Whiteboard: [psm-backlog][psm-cleanup])

Attachments

(1 file)

Bug 1691122 - Remove subject common name fallback support in CertVerifier. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

Bug 1245280 and bug 1267463 began the process of deprecating fallback to subject common name matching against hostnames in TLS server certificate validation. However, certificates from imported roots were always exempt from this policy in Firefox. In the time since then, Chrome has deprecated fallback to the subject common name [0]. Chrome did have an enterprise policy option to re-enable this fallback, but it was removed in Chrome 66 [1].

[0] https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates
[1] https://bugs.chromium.org/p/chromium/issues/detail?id=803791

Assignee: nobody → mbirghan
Assignee: mbirghan → nobody
Assignee: nobody → jschanck
Attachment #9272437 - Attachment description: Bug 1691122 - Remove subject common name fallback for imported roots. r=keeler → Bug 1691122 - Remove subject common name fallback support in CertVerifier. r=keeler
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0599b2a0913a Remove subject common name fallback support in CertVerifier. r=keeler,necko-reviewers,kershaw

The failing test involves a self-signed certificate generated (at run time) by testing/tools/iceserver/iceserver.py. That script fails to set a subject alternative name, so it is expected to fail w/o subject common name fallback support. I've updated the revision with a patch for iceserver.py

Flags: needinfo?(jschanck)
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/90a96fdbd3c4 Remove subject common name fallback support in CertVerifier. r=keeler,necko-reviewers,kershaw

https://hg.mozilla.org/mozilla-central/rev/90a96fdbd3c4

Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox101: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 101 Branch

Release Note Request (optional, but appreciated)
[Why is this notable]: Validation of any manually installed certificates that lack the subjectAltName extension will fail with error code SSL_ERROR_BAD_CERT_DOMAIN.
[Affects Firefox for Android]: yes
[Suggested wording]: Removed "subject common name" fallback support from certificate validation. This fallback mode was previously enabled only for manually installed certificates. The CA Browser Forum Baseline Requirements have required the presence of the "subjectAltName" extension since 2012, and use of the subject common name was deprecated in RFC 2818.
[Links (documentation, blog post, etc)]:

relnote-firefox: --- → ?

Added to the Fx101 relnotes.

relnote-firefox: ?101+
Blocks: 1461370
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: