Incorrect certificate used when accessing multiple servers with self signed certificates

VERIFIED DUPLICATE of bug 93091

Status

--
critical
VERIFIED DUPLICATE of bug 93091
16 years ago
2 years ago

People

(Reporter: jsissom, Assigned: darin.moz)

Tracking

Other Branch
x86
Windows 2000

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

16 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

This bug is hard to explain, but here's how to repeat it.  The web addresses
below are development web servers that we use.  They may or may not be up when
you try it.  Both servers are Apache 1.2.27 with mod_ssl with self signed
certificates.  I assume that any two web servers with self signed certificates
would work, but I've only tried these two.

1. Start the browser.
2. Access the first server https://stones.uits.indiana.edu/
3. Accept this self signed certificate for this session
4.  Access the second server https://toybox.uits.indiana.edu:9443/

You'll see that it complains that the certificate for stones.uits.indiana.edu
doesn't match the host name of toybox.uits.indiana.edu.  It is comparing the
certificate from the first server with the second server.  This is the bug.


Reproducible: Always

Steps to Reproduce:
1. Start the browser.
2. Access the first server https://stones.uits.indiana.edu/
3. Accept this self signed certificate for this session
4.  Access the second server https://toybox.uits.indiana.edu:9443/

You'll see that it complains that the certificate for stones.uits.indiana.edu
doesn't match the host name of toybox.uits.indiana.edu.  It is comparing the
certificate from the first server with the second server.  This is the bug.

Actual Results:  
You cannot access the 2nd server because of the "certificate mismatch".  If you
try to access this second server in the same session, you'll get the error message:

Could not establish an encrypted connection because certificate presented by
toybox.uits.indiana.edu is invalid or corrupted.  Error Code: -8182



Expected Results:  
After step 4, Mozilla should have given the dialog box asking about the self
signed certificate for toybox.uits.indiana.edu.  It should have allowed you to
accept it for this session, all sessions or not accept it.  It should not
compare the certificate information from the last server with this one.
(Reporter)

Comment 1

16 years ago
The same thing happens with Mozilla 1.1, except the error message that appears when
trying to access the 2nd web site a 2nd time says:

"stones.uits.indiana.edu received a message with incorrect Message
Authentication Code. If the error occurs frequently, contact the website
administrator."

I tried accessing the two web sites in different orders and I get the same
invalid result either way.

Comment 2

16 years ago
The problem seems to be the duplicate serial numbers.  See the duped bug

*** This bug has been marked as a duplicate of 93091 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 16 years ago
Component: Networking → Client Library
Product: Browser → PSM
QA Contact: benc → ckritzer
Resolution: --- → DUPLICATE
Version: Trunk → unspecified

Comment 3

16 years ago
Just for reference, from RFC 3280:

4.1.2.2 Serial number
The serial number MUST be a positive integer assigned by the CA to
each certificate. It MUST be unique for each certificate issued by a
given CA (i.e., the issuer name and serial number identify a unique
certificate). CAs MUST force the serialNumber to be a non-negative
integer.
Severity: blocker → critical

Comment 4

16 years ago
Verified dupe.
Status: RESOLVED → VERIFIED
QA Contact: ckritzer → bmartin

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.