Closed
Bug 351698
Opened 18 years ago
Closed 17 years ago
Certificate mismatch warning for https://bugzilla.mozilla.org./ (note trailing dot for absolute DNS)
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 134402
People
(Reporter: bugzilla.mozilla.org, Assigned: KaiE)
References
()
Details
If I call a secure site https://www.server.com./, firefox complains that the certicate belongs to "www.server.com" and not to "www.server.com.". "www.server.com." is the notation for an absolute address, that means no domain suffix is appended. Assume there is a server "test.org.mycompany.com", then "http://test.org" would go to "http://test.org.mycompany.com./", but "http://test.org." goes only to "http://test.org./".
|
||
Comment 1•18 years ago
|
||
This is probably a Core bug, no?
|
||
Updated•18 years ago
|
Assignee: nobody → kengert
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general
Summary: www.server.com <> www.server.com. → Certificate mismatch warning for https://bugzilla.mozilla.org./ (note trailing dot for absolute DNS)
Version: unspecified → Trunk
|
|
||
Comment 2•18 years ago
|
||
I can confirm this behavior with https://bugzilla.mozilla.org./ using a Mac trunk build of Firefox. And I agree that it seems like a bug.
|
Assignee | |
Comment 3•18 years ago
|
||
I believe this is a bug in NSS, because our application module PSM brings up that mismatch dialog after NSS complains about a bad cert with error code: SSL_ERROR_BAD_CERT_DOMAIN -> NSS
Assignee: kengert → nobody
Component: Security: PSM → Libraries
Product: Core → NSS
QA Contact: libraries
Version: Trunk → 3.11.3
|
||
Comment 4•18 years ago
|
||
No, I disagree that this is an NSS bug. NSS requires that SSL_SetURL be called with the string that is to match one of the names in the cert. Note that DNS plays no part in that matching. The names used for matching might not even be DNS names as far as NSS is concerned. If the calling application has knowledge that the name is a DNS name, and that the trailing dot can (and should) be stripped, the calling application must do that.
Assignee: nobody → kengert
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries
Version: 3.11.3 → 1.8 Branch
|
|
Assignee | |
Comment 5•18 years ago
|
||
Thanks to Nelson for pointing me into the right direction. I can see that PSM does forward the associated host name to NSS. That host name is passed into PSM by Necko, at SSL socket construction time. http://lxr.mozilla.org/seamonkey/ident?i=NewSocket http://lxr.mozilla.org/seamonkey/ident?i=AddToSocket Should Gecko be changed to pass in a stripped/normalized host name? If you agree, please reassign to Gecko.
|
||
Updated•17 years ago
|
QA Contact: psm
|
Reporter | |
Comment 6•17 years ago
|
||
What happens if I'm in the domain mycompany.com and I go to https://www and the certificate belongs to www.mycompany.com?
|
|
||
Updated•17 years ago
|
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•