368187 - Certificate "Subject Alt Name" not respected

Status: RESOLVED WORKSFORME

(NSS :: Libraries, defect)

Description

[Barry Davis]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Avant Browser; Avant Browser; .NET CLR 1.1.4322)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1

My appliance has web access over ssl. The certificate uses subectAltName to list all the IPs that the certifacte will validate access on as it has multiple net interfaces with possibly multipe IPs on each interface. Firefox does not seem to pay any attention to this.
Opera 9.01 and IE7 work correctly but Firefox 2.0.0.1 does not.

Reproducible: Always

Steps to Reproduce:
Install CA certificate supporting subjectAltName.
Connect to site with certificate containing:
CN: myhostname
Certificate Subject Alt Name
  DNS Name: 192.168.1.102
  DNS Name: 192.168.8.128

Actual Results:  
Popup. Title "Security Error: Domain Name mismatch".
You have attempted to establish a connection with "192.168.8.128". However, the security certificate presented belongs to "myhostname". It is possible, though unlikely, that someone may be trying to intercept your communication with this web site.
If you suspect the certificate shown does not belong to "192.168.8.128", please cancel the connection and notify the site administator.


Expected Results:  
Certificate accepted and trusted connection setup with no fuss.

Comment 1

[Barry Davis]

Attachment: subjectAltName.PNG

Comment 2

[Robin Monks]

Hi Barry!

This bug is an apparent duplicate of Bugzilla bug 338419 because:
A) Steps to reproduce of both bugs is similar and/or identical and/or the steps
to reproduce of this bug is a portion of the steps to reproduce of
aforementioned bug.
B) The aforementioned bug is older than this bug and has more activity.
C) This bug meets the minimum requirements to be marked as a duplicate under
http://www.mozilla.org/quality/help/screening-duplicates.html.

You should comment on that bug if you have any further information to offer.  It's also worth nothing this bug is similar to the fixed bug 103752, you may want to look at that bug.

Barry, if you feel this was done in error PLEASE REOPEN!  We're only
human here and bugs occasionally are mis-marked.

Comment 3

[Barry Davis]

This bug still exists in firefox 2.0.0.10

Comment 4

[Barry Davis]

Attachment: firefox bug - subjectAltName - 2.0.0.10.PNG

This shows the bug still occuring in firefox 2.0.0.10
The "Certificate Subject Alt Name" lists valid alternate hostnames that the certificate page is allowed. The CA name and the names in the "Certificate Subject Alt Name" field ahould all be respected as owners of the certificate.

Comment 5

[Barry Davis]

(In reply to comment #4)
> Created an attachment (id=293831) [details]
> firefox bug - subjectAltName - 2.0.0.10.PNG
> This shows the bug still occuring in firefox 2.0.0.10
> The "Certificate Subject Alt Name" lists valid alternate hostnames that the
> certificate page is allowed. The CA name and the names in the "Certificate
> Subject Alt Name" field ahould all be respected as owners of the certificate.

Correction, this was actually firefox 2.0.0.11

Comment 6

[Wim Lewis]

In the bug report and the screenshot, the alternative IP addresses are labeled "DNS Name:". That suggests that they were specified in the certificate as dNSName GeneralNames, instead of as iPAddress GeneralNames. If that's the case, then Firefox's behavior is correct here: "192.168.8.128" is not the server's DNS name.

If someone can confirm that FF properly handles SANs with an iPAddress GeneralName then I think this is a non-bug.


Details: http://tools.ietf.org/html/rfc5280#section-4.2.1.6

Comment 7

[Maarten Bosmans]

Yes, handling by FF of SAN is correct. Please close.