Closed Bug 266651 Opened 20 years ago Closed 20 years ago

case sensitive comparison done on wildcard hostnames in certs

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jdg, Assigned: nelson)

Details

Attachments

(1 file, 1 obsolete file)

Real Diff against Head-Of-Tree
1.09 KB, patch
nelson
: review+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10 Build Identifier: Mozilla/5.0 (Windows; U; Win98; rv:1.7.3) Gecko/20040913 Firefox/0.10 This happened on a private site, so I'll have to "genericize" the domain name, but: When opening the page https://secure.myexampledomain.com/, I get a popup saying that the site has presented an invalid certificate because the certificate actually belongs to Secure.MyExampleDomain.com (the same domain name except for case). Reproducible: Always Steps to Reproduce: Actual Results: I hit "OK" to accept the certificate and was able to continue. Expected Results: It should have accepted the certificate as valid without comment, since domain names are inherently case blind.
Moving to NSS.
Assignee: firefox → wchang0222
Component: General → Libraries
Product: Firefox → NSS
QA Contact: firefox.general → bishakhabanerjee
Nelson, could you look at this? Thanks.
Assignee: wchang0222 → nelson
Here is a guess at an alternative explanation. Submittor, please tell us if this explanation is correct. The cert probably has a domain name in the Common Name attribute of the SubjectName, and also one or more domain names as subject alternative names. The domain name given in the Common Name attribute is probably NOT also listed among the subject alternative names. The name being tested in the URL is the name in the subject's CN, and not one of the alternative names. If this explanation matches the facts, then this bug is invalid. The software is working according to the RFC 2818, which states: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used.
Whiteboard: waiting for input from submittor
I'm not in a position to know that. I don't own the target site.
Whiteboard: waiting for input from submittor
You don't need to own the target site. You only need to get the cert from the target site and examine it. We need evidence to support the hypothesis. Otherwise, all we have is conjecture. In the absence of evidence of the real problem, we'll eventually have to mark this bug invalid.
Whiteboard: waiting for evidence of the real problem.
It is not stated in the description of this bug, but if the private certificate the user had contained a wildcard, then what the user describes is exactly what this patch fixes.
It is not stated, but if the certificate they were testing with contained a wildcard, a bug in security/nss/lib/util/portreg.c will cause it to be compared in a case-sensitive manner and fail. This is happening in the real-world today at: https://xpennstatewrestlingclub.merchantquest.net/ who's certificate has a CN containing *.MerchantQuest.Net and firefox is complaining about the mismatch. To recreate, just create a server wildcard cert using mixed case and try to access it from firefox. Firefox complains. Try a mixed case fqdn CN and firefox accepts it. This is against head-of-tree as of Nov. 11th, 2004.
Sorry, old diff was against a sticky tag. Real diff against Head-Of-Tree
Attachment #165580 - Attachment is obsolete: true
By the way, we have notified https://xpennstatewrestlingclub.merchantquest.net/ of the issue. They may request a new cert that is all lowercase to work around this problem, so my real-world example my not work by the time someone else gets around to testing against it. However, it is easily replicated on a private web server by using a wild-card and mixed case in the CN of a cert.
Ken, thanks for the patch! Would you like me to add your name and email address to the list of contributors to that file? If so, please indicate the email address you'd like me to use.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → 3.10
Version: unspecified → 3.9
Summary: domain name in certificate is case sensitive → case sensitive comparison done on wildcard hostnames in certs
Whiteboard: waiting for evidence of the real problem.
Comment on attachment 165582 [details] [diff] [review] Real Diff against Head-Of-Tree Will check in when I get attribution feedback from patch contributor.
Attachment #165582 - Flags: review+
(In reply to comment #11) > (From update of attachment 165582 [details] [diff] [review]) > Will check in when I get attribution feedback from patch contributor. > Glad to finally be able to be in a position to give something back to the project. The little patch hardly seems worthy of an attribution, but there is a coolness factor I can't resist. Ken Key <key+mozilla@ksquared.net> works for me. Thanks, K^2
Bug is not platform dependent. Fix tested. About to checkin.
Severity: minor → normal
OS: Windows 98 → All
Hardware: PC → All
Checking in portreg.c; /cvsroot/mozilla/security/nss/lib/util/portreg.c,v <-- portreg.c new revision: 1.4; previous revision: 1.3 Thanks, Ken!
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: