The certificate for www.e-trust.be has a common name of "www.e-trust.be" but a subject alt name extension of "www.e-trust.belgacom.be". NSS is throwing a name mismatch error--I believe correctly. The dialog box that PSM displays, however, says that the certificate is for "www.e-trust.be", claiming a mismatch between what are clearly the same host names. PSM is getting this value from the cert's common name, which isn't correct for this case. Nelson, what function should PSM be calling in order to get a cert's primary SSL host name?
*** Bug 243933 has been marked as a duplicate of this bug. ***
Primary SSL hostname? What's that?
I would define that as the first-listed host name.
certs don't have "primary" SSL host names. They may have a host name in the subject name's "Common Name" (CN) attribute, and they may have a list of "alternative" names. If the list of "alternative names" contains one or more DNS names, then that entire set of DNS names takes exclusive precedence over the Subject Common Name. So, the dialog should probably show the list of alternative DNS names, when there are any, and the subject common name when there are not. The question then is: Is there a way to ask NSS for the subject alt names that are DNS names?
Created attachment 192730 [details] Screenshot of cert name mismatch unrelated to subject alt names. This bug also occurs when opening "www.rc-ulm-neuulm.de". Recipe: go to "https://www.rc-ulm-neuulm.de" (There is no problem, the certificate is accepted) click on "Veranstaltungen" on the left sidebar (this is on the same server, it loads the righthand frame). The error of a domain mismatch occurs. As can be seen from the screenshot, the name of the two domains with a mismatch are identical. This is confusing. I expect firefox either to accept the certificate, or if there are good reasons, to show me one piece of differing evidence. Othmar Marti
An update: The server mismatch dialog with identical names occurs when the image is referenced as <img src="https://rc-ulm-neuulm.de/images/corner_2.gif" alt="aktuell" width="28" height="32"> It does not occur when the tag reads <img src="/images/corner_2.gif" alt="aktuell" width="28" height="32"> I presume that there is a problem in the parser. The base URL is "https://www.rc-ulm-neuulm.de" Othmar Marti
Comment 5 and comment 6 are not related to subject alt names. The error dialog shown in the screet shot clearly states the problem with that cert, which is not related to subject alt names. www.rc-ulm-neuulm.de is not the same as rc-ulm-neuulm.de
Kai, Please add this bug to the list of PSM error messages bugs that seriously need attention.
In compliance to RFC 2818, "subjectAltName:dNSName" replaces the subject's "CN" as domain name identifier if present. Mozilla respects that. Unfortunately, the CN is NOT replaced in messages, warnings or the standard certificate "View" dialog box. This is not only a problem of **** self-contradicting warnings: There is a reason why the domain name identifier of a certificate should be shown to the user in all certificate related messages. It is the informational base on which the user decides if to accept a certificate. This is even more important since mozilla based browsers match greedy wildcards (eg. "www.mozilla.org" matches "subjectAltName:dNSName=*"), see bug #159483. This is a security issue, and it should be solved.
This was fixed with the patch for bug 398718, we not display an error message that lists all allowed names.