Closed Bug 243933 Opened 20 years ago Closed 20 years ago

Mozilla uses CN (CommonName) and X509v3 Subject Alternative Name a weird way.

Categories

(MailNews Core :: LDAP Integration, defect)

Product:
MailNews Core
Component:
LDAP Integration
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 238142

People

(Reporter: jeanfrederic.clere.ext, Assigned: sspitzer)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040517
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040517

When using LDAP + SSL, Mozilla complains when the "X509v3 Subject Alternative
Name" does not correspond to the hostname even if the CommonName (CN) of the
certificate is correct. It displays a message telling the certificate does not
correspond to the host. The message is wrong it says the certificate belongs to
"CommonName" that is not "hostname" when the 2 values are the same.


Reproducible: Always
Steps to Reproduce:
A certificate to reproduce the problem could be like the following:
+++
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 20 (0x14)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil, Ltd,
OU=Certificate Authority, CN=Snake Oil CA/Email=ca@snakeoil.dom
        Validity
            Not Before: May 18 13:19:14 2004 GMT
            Not After : May 18 13:19:14 2005 GMT
        Subject: C=AU, ST=Some-State, L=Barcelona, O=Internet Widgits Pty Ltd,
OU=FSC12, CN=vtxclere/Email=jfclere@apache.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c6:43:39:c7:ca:23:f1:49:9b:74:42:aa:10:bd:
                    e7:78:7f:af:bc:10:0c:22:57:73:ab:07:43:6c:14:
                    ab:46:e8:88:d0:fe:36:d1:44:99:12:b3:0c:5b:a7:
                    22:01:59:d2:dd:24:63:4a:35:e1:9e:51:5f:92:ad:
                    b0:bc:6c:2f:28:4b:7d:11:04:e5:1a:b8:c3:01:17:
                    98:f2:f9:d0:3a:b2:5f:db:8e:1e:c8:70:13:9f:c2:
                    e3:e8:93:b6:ce:58:c9:8c:f1:3c:dd:01:08:86:ab:
                    ca:0a:b6:89:ea:c7:f3:f7:d5:28:46:22:ba:87:4f:
                    d0:20:0b:54:b1:1f:c8:2a:f5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F5:C1:BA:E5:03:AB:F3:B4:7E:96:B4:46:2D:21:6B:59:E6:B8:93:5A
            X509v3 Authority Key Identifier:
                DirName:/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil,
Ltd/OU=Certificate Authority/CN=Snake Oil CA/Email=ca@snakeoil.dom
                serial:00
 
            X509v3 Subject Alternative Name:
                DNS:wrongname
    Signature Algorithm: md5WithRSAEncryption
+++
When "X509v3 Subject Alternative Name" is "vtxclere" mozilla works OK.

Actual Results:  
A message box "Security error domain mismatch"
You have attempted to establish a connection with "vtxclere".  However, the
security certificate presented belongs to "vtxclere".


Expected Results:  
A message box "Security error domain mismatch"
You have attempted to establish a connection with "vtxclere".  However, the
security certificate presented belongs to "wrongname".
RFC 2818 says:

   If a subjectAltName extension of type dNSName is present, that MUST
   be used as the identity. Otherwise, the (most specific) Common Name
   field in the Subject field of the certificate MUST be used. Although
   the use of the Common Name is existing practice, it is deprecated and
   Certification Authorities are encouraged to use the dNSName instead.

That first sentence says that subjectAltNames are to be used EXCLUSIVELY
when present.  They are to be used instead of, not in addition to, the 
Common Name.  That's just what mozilla does.  mozilla's behavior conforms
to this RFC (which is NOT an internet standard, but it widely treated as 
if it was one).  

So, when you decide to get subjectAltName(s) in your cert, you need to 
be sure that ALL the names are listed there.  Don't think of subject
alt names as more names in addition to the one in the Common Name.
Think of them as the complete replacement for the common name.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
The problem is the ERROR MESSAGE: It gives no clues that the "DNS" element of
"X509v3 Subject Alternative Name" does not correspond to the hostname. But
"wrongly" tells that "CommonName" does not correspond hostname. A correction
would be to print in the message the "DNS" element of "X509v3 Subject
Alternative Name" instead of the "CommonName" when the "DNS" element is used to
check the certificate.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
All crypto-related error messages are the responsibility of a mozilla 
component named PSM.  The error message handling in PSM is its biggest 
problem.  If you search for error handling bugs against PSM you will
find many.  This bug should be a duplicate of one of those.
I will leave it to you to decide which of those bugs to dup this against.

*** This bug has been marked as a duplicate of 238142 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → DUPLICATE
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.