Closed Bug 1773078 Opened 3 years ago Closed 3 years ago

Firefox returns SSL_ERROR_BAD_CERT_DOMAIN even though CN is valid

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
Firefox 101
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sahbi, Unassigned)

References

Details

Steps to reproduce:

I simply went to a website with a self-signed but trusted wildcard cert (*.workdomain.pub). It's only used internally so there's no real need for a cert issued by a known public CA.

Actual results:

Firefox shows an error page with:

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for abc.workdomain.pub. 
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Expected results:

Firefox should've seen the cert as valid.

Of course the cert issuer has been added to Firefox's trust store, otherwise the error would've been about a self-signed cert or untrusted/unknown issuer. And if I click View Certificate then it clearly states Common Name *.workdomain.pub.

The cert doesn't have any SANs because it's not necessary due to being a wildcard, so I'm thinking that might be relevant. I've experienced something quite similar to this in Chrome actually: it would refuse any cert that did not have any SANs, even if the CN already is an exact match. I haven't checked yet if it still happens if I create a new (temporary) cert with at least one SAN, or even if it's maybe due to the .pub TLD somehow not being properly recognised anymore. Or perhaps the wildcard itself is interpreted as a literal *.

Note that I'm creating this bug from a device other than the one where I experienced the problem. The latter is an M1 Pro Mac running Monterey 12.0.1, with the following user agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0. I forgot to turn off auto-update (because I prefer to decide on my own when to do it) and I version 101.0 was installed (I think) either today or at the end of last week, because by of the end of Friday I had no problems yet. I currently only use that device for work so it was shut down over the entire weekend.

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Firefox 101 removed support for common name matching. SANs have been the preferred mechanism for over 20 years (see: RFC 2818 section 3.1).

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
See Also: → 1691122
You need to log in before you can comment on or make changes to this bug.