Closed Bug 313946 Opened 19 years ago Closed 19 years ago

If the server serves a SSL certificate where the common name != host name Firefox just shows a blank page

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
1.5.0.x Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED WORKSFORME

People

(Reporter: stephan.klein, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051006 Firefox/1.4.1 If the server serves a SSL certificate where the common name != host name Firefox just shows a blank page. I think we should give the user at least a message that the Page won't load because of the broken certificate. Maybe there is also a way to bypass this security setting to view the page despite the invalid certificate. I had this problem with Firefox 1.5 Beta 2 while trying to access my domain control panel. Trying to download the page with wget got me the message --[snip]-- ERROR: Certificate verification error for xxxx.evanzo-server.de: self signed certificate ERROR: certificate common name `plesk' doesn't match requested host name `xxxxx.evanzo-server.de'. To connect to xxxxx.evanzo-server.de insecurely, use `--no-check-certificate'. Unable to establish SSL connection. --[snap]-- Maybe there is a --no-check-certificate Option (via Dialog) for Firefox too? Reproducible: Always Steps to Reproduce: 1. Open a page via HTTPS that sends Firefox 1.5 Beta 2 a certificate where the common name does not match the requested host name. Actual Results: about:blank opens Expected Results: At least an error message that tells the user that the certificate is broken. Or, better, an option to view the page anyway. Installed extensions (if that is any help): Talkback 1.4.1 Reporter 1.8b5 ShowIP 0.7.11 CustomizeGoogle 0.31 Tabbrowser Preferences 1.2.8.6 Web Developer 0.9.4 Stumble Upon 2.04 Adblock Plus 0.5.10 SwitchProxy Tool 1.3.2 (disabled because not compatible yet with FF1.5B2) Adblock Filterset.G Updater 0.2.6 Feedview 0.9.8 Html Validator 0.7.4
Version: unspecified → 1.5 Branch
Do you have an example site where this happens, I'm pretty sure I've had no problem with this but the site Im thinking of is no longer up.
Just try https://62.140.23.14:8443/
Displays fine for me. Shows a warning about the certificate being untrusted, then a second warning that the common name is wrong, then displays the page. WFM Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051026 Firefox/1.6a1 ID:2005102605
Alright after a restart, Firefox shows me the corresponding warning. Seems not be be "Reproducable: Always"... Strange thing that.
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20051003 Firefox/1.4.1 WFM on Linux as well. It shows a blank page when JS is disabled, but that is expected given the code on the page (redirect in onLoad handler).
Alright, I think I made a mistake there. Everything works fine for me again. Sorry to everyone I bothered! Stephan
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.