X.509v3 Subject Alternative Name DNS ignored



16 years ago
16 years ago


(Reporter: Ivan Dolezal, Assigned: Nelson Bolyard (seldom reads bugmail))


Firefox Tracking Flags

(Not tracked)





16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Win9x; en; Stable) Gecko/20020911 Beonex/0.8.1-stable
Build Identifier: Mozilla/5.0 (Windows; U; Win9x; en; Stable) Gecko/20020911 Beonex/0.8.1-stable

The webserver is having a canonical name server4.streaming.cesnet.cz and a CNAME
prenosy.cesnet.cz . According to RFC 2459 section the certificate
contains also Subject Alternative Name items with both A and CNAME. The OID for
SAN DNS is, however ignored, thereby forcing the server's owner to get extra IP
address for running every virtual HTTPS server (same for other secured
services). Let me note that MSIE handles this technique correctly.

Reproducible: Always

Steps to Reproduce:
1. (Optional) download and install CA certificate from
2. Go to https://prenosy.cesnet.cz/ . You will see the correct page.
3. Go to https://server4.streaming.cesnet.cz/ .

Actual Results:  
a message box appears:
You have attempted to establish a connection with "server4.streaming.cesnet.cz."
However, the security certificate presented belongs to "prenosy.cesnet.cz"...

Expected Results:  
Not displaying any warning, as certificate's X.509v3 Subject Alternative Name
did contain both DNS names of the server.

I am not able to decide about severity of this bug as it is a minor bug for
one's "supersecure" password to presets of a webpage, *extremely annoying* bug
when you are trying to download your e-mail via IMAP and you see that _every
time_ Mozilla Mail tries to download the mail or _severe_ for any e-commerce.

Comment 1

16 years ago
Nelson, could you look at this bug?  I believe this is
a duplicate of bug 103752, which you fixed in NSS 3.5.1
and is in the latest Mozilla releases.

Mr. Dolezal, what is the Mozilla version you are using?
Could you right-mouse over the nss3.dll file in your
Mozilla installation, choose the menu item "Properties",
in the "nss3.dll Properties" dialog, choose the "Version" tab,
click on "Product Version", and get the NSS version number?
Assignee: wtc → nelsonb

Comment 2

16 years ago
Mr. Dolezal, you can help us find out if this is
a duplicate of bug 103752 as follows.

1. Download the latest NSS 3.6.1 distribution for

NSS 3.6.1 contains the fix for bug 103752.

2. Unpack the zip file.  In the nss-3.6.1/lib directory,
there should be these five DLLs: nss3.dll, softokn3.dll,
nssckbi.dll, smime3.dll, and ssl3.dll.

3. Exit Mozilla, if it is running.

4. Replace the five NSS DLLs in your Mozilla installation
by the new ones in nss-3.6.1/lib.  (You should save the
old NSS DLLs before you copy the new ones over.)

5. Start up Mozilla and test it.

Comment 3

16 years ago
Kai just confirmed that this works as expected (no warning) with a recent
build featuring NSS 3.6.1 Beta.  So I am marking this as a duplicate of
bug 103752

*** This bug has been marked as a duplicate of 103752 ***
Last Resolved: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.