Closed Bug 197964 Opened 22 years ago Closed 20 years ago

incorrect handling of certificate with two CN's

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: palo.simo, Assigned: nelson)

References

(
URL
)

Details

Attachments

(1 file)

patch v1 - take last Common name, not first.
2.03 KB, patch
wtc
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030313 Mozilla gives me a message "Security Error: Domain Name Mismatch" when I try to connect to a https site which have correct certificate (Mozilla says). The certificate viewer shows that in the "Subject" field there are 2 CN records - the first showed has the same domain name I try to connect to, the second is some old alias for the domain. I think the warning is incorrect. Reproducible: Always Steps to Reproduce: 1. connect to https://two.fujitsu.sk Actual Results: Security Error: Domain Name Mismatch Expected Results: nothing - just connect I've got replies, that IE does not show error on this, maybe Netscape doesn't, too... not tested
Viewing the cert in IE, I can see two CN's. Mozilla is picking the second one in the list and causing the Cert Name mismatch dialog. Kai, are 2 CNs in a server cert within spec?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 2.4
RFC 2818 (an informational RFC) states: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. This RFC says that one of the Common Name (CN) fields should be used to match the hostname. There is no expectation that both fields will be checked. However, the "most specific" means the last one given in the DER encoding of the name, which is the first one printed. NSS seems to choose the first matching element in the DER encoding (the last printed). This conflicts with the recommendation in this RFC. However, since CN is being phased out in favor of DNSName, and multiple CN fields really have no meaning, this behavior probably won't be changed. NSS also implements a matching rule that can me used to allow a single CN entry to match multiple host names. in this case CN=two.(icl|fujitsu).sk would match both names given in the certificate.
Regarding NSS choosing the first, rather than the last CN element, this seems like it might be easy to fix. It's probably worth fixing, if so.
I'm changing this to product=NSS since it appears to be due to NSS cert handling.
Assignee: ssaux → wchang0222
Component: Client Library → Libraries
Product: PSM → NSS
QA Contact: junruh → bishakhabanerjee
Target Milestone: --- → 3.9.1
Version: 2.4 → 3.8
Target Milestone: 3.9.1 → 3.10
Taking bug for NSS 3.10.
Assignee: wchang0222 → nelson
Priority: -- → P2
I wonder if the code should do this for other attributes also.
Comment on attachment 151920 [details] [diff] [review] patch v1 - take last Common name, not first. Wan-Teh, please review
Attachment #151920 - Flags: review?(wchang0222)
Status: NEW → ASSIGNED
Whiteboard: awaiting review
Comment on attachment 151920 [details] [diff] [review] patch v1 - take last Common name, not first. r=wtc. >+/* RDNs are sorted from most general to most specific. >+ * This code returns the first one found, the most general one found. >+ */ > static char * > CERT_GetNameElement(PRArenaPool *arena, CERTName *name, int wantedTag) Might want to highlight "first" in the comment, as you did to "last" in the other comment.
Attachment #151920 - Flags: review?(wchang0222) → review+
/cvsroot/mozilla/security/nss/lib/certdb/alg1485.c,v <-- alg1485.c new revision: 1.24; previous revision: 1.23 I also made the change to the comment that Wan-Teh requested.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Whiteboard: awaiting review
*** Bug 251590 has been marked as a duplicate of this bug. ***
This bug was fixed by changing the function CERT_GetCommonName from returning the first (least specific) CN to instead return the last (most specific) CN in the name. SSL needs the most specific. But it seems that when displaying a certificate's name, PSM had been using that CERT_GetCommonName to get the CN string to display, and it had been getting and displaying the most general (least specific) name. So the change made to fix this bug caused PSM's cert viewer to begin to display a different value than in had previously been displaying, to the alarm of some folks who had always expected the display to contain the most general name. That is the subject of bug 305890. I think the solution is probably along these lines: Change CERT_GetCommonName to work as it did before. Create a new function, CERT_GetMostSpecificCommonName to do what SSL needs, and change SSL (and possibly many other callers of GetCommonName) to call this other new function instead.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: