Closed
Bug 243933
Opened 20 years ago
Closed 20 years ago
Mozilla uses CN (CommonName) and X509v3 Subject Alternative Name a weird way.
Categories
(MailNews Core :: LDAP Integration, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 238142
People
(Reporter: jeanfrederic.clere.ext, Assigned: sspitzer)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040517 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7b) Gecko/20040517 When using LDAP + SSL, Mozilla complains when the "X509v3 Subject Alternative Name" does not correspond to the hostname even if the CommonName (CN) of the certificate is correct. It displays a message telling the certificate does not correspond to the host. The message is wrong it says the certificate belongs to "CommonName" that is not "hostname" when the 2 values are the same. Reproducible: Always Steps to Reproduce: A certificate to reproduce the problem could be like the following: +++ Certificate: Data: Version: 3 (0x2) Serial Number: 20 (0x14) Signature Algorithm: md5WithRSAEncryption Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil, Ltd, OU=Certificate Authority, CN=Snake Oil CA/Email=ca@snakeoil.dom Validity Not Before: May 18 13:19:14 2004 GMT Not After : May 18 13:19:14 2005 GMT Subject: C=AU, ST=Some-State, L=Barcelona, O=Internet Widgits Pty Ltd, OU=FSC12, CN=vtxclere/Email=jfclere@apache.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:c6:43:39:c7:ca:23:f1:49:9b:74:42:aa:10:bd: e7:78:7f:af:bc:10:0c:22:57:73:ab:07:43:6c:14: ab:46:e8:88:d0:fe:36:d1:44:99:12:b3:0c:5b:a7: 22:01:59:d2:dd:24:63:4a:35:e1:9e:51:5f:92:ad: b0:bc:6c:2f:28:4b:7d:11:04:e5:1a:b8:c3:01:17: 98:f2:f9:d0:3a:b2:5f:db:8e:1e:c8:70:13:9f:c2: e3:e8:93:b6:ce:58:c9:8c:f1:3c:dd:01:08:86:ab: ca:0a:b6:89:ea:c7:f3:f7:d5:28:46:22:ba:87:4f: d0:20:0b:54:b1:1f:c8:2a:f5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F5:C1:BA:E5:03:AB:F3:B4:7E:96:B4:46:2D:21:6B:59:E6:B8:93:5A X509v3 Authority Key Identifier: DirName:/C=XY/ST=Snake Desert/L=Snake Town/O=Snake Oil, Ltd/OU=Certificate Authority/CN=Snake Oil CA/Email=ca@snakeoil.dom serial:00 X509v3 Subject Alternative Name: DNS:wrongname Signature Algorithm: md5WithRSAEncryption +++ When "X509v3 Subject Alternative Name" is "vtxclere" mozilla works OK. Actual Results: A message box "Security error domain mismatch" You have attempted to establish a connection with "vtxclere". However, the security certificate presented belongs to "vtxclere". Expected Results: A message box "Security error domain mismatch" You have attempted to establish a connection with "vtxclere". However, the security certificate presented belongs to "wrongname".
Comment 1•20 years ago
|
||
RFC 2818 says: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. That first sentence says that subjectAltNames are to be used EXCLUSIVELY when present. They are to be used instead of, not in addition to, the Common Name. That's just what mozilla does. mozilla's behavior conforms to this RFC (which is NOT an internet standard, but it widely treated as if it was one). So, when you decide to get subjectAltName(s) in your cert, you need to be sure that ALL the names are listed there. Don't think of subject alt names as more names in addition to the one in the Common Name. Think of them as the complete replacement for the common name.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Reporter | ||
Comment 2•20 years ago
|
||
The problem is the ERROR MESSAGE: It gives no clues that the "DNS" element of "X509v3 Subject Alternative Name" does not correspond to the hostname. But "wrongly" tells that "CommonName" does not correspond hostname. A correction would be to print in the message the "DNS" element of "X509v3 Subject Alternative Name" instead of the "CommonName" when the "DNS" element is used to check the certificate.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Comment 3•20 years ago
|
||
All crypto-related error messages are the responsibility of a mozilla component named PSM. The error message handling in PSM is its biggest problem. If you search for error handling bugs against PSM you will find many. This bug should be a duplicate of one of those. I will leave it to you to decide which of those bugs to dup this against.
Reporter | ||
Comment 4•20 years ago
|
||
*** This bug has been marked as a duplicate of 238142 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago → 20 years ago
Resolution: --- → DUPLICATE
Updated•20 years ago
|
Product: MailNews → Core
Updated•16 years ago
|
Product: Core → MailNews Core
You need to log in
before you can comment on or make changes to this bug.
Description
•