Closed Bug 422965 Opened 17 years ago Closed 16 years ago

Invalid complaint of ldap server certificate domain mismatch

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 369112

People

(Reporter: dave, Assigned: KaiE)

Details

Attachments

(1 file)

screenshot
18.11 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080207 Ubuntu/7.10 (gutsy) Firefox/2.0.0.12
Build Identifier: 2.0.0.12 (20080227)

Please see the attached screenshot

Reproducible: Always

Steps to Reproduce:
1. Click "write" to compose a new email
2. Start typing email address

Obviously this happens in my environment, with the directory server ldaps://ldap.luannocracy.com (only valid on my local net) in the "Address Books" pane of my Address Book.
Actual Results:  
Security Error: Domain Name Mismatch

You have attempted to establish a connection with "ldap.luannocracy.com". However, the security certificate presented belongs to "ldap.luannocracy.com".  ... etc.

Expected Results:  
quietly allowed me to type the address I was trying to type.
Attached image screenshot 
Assignee: dveditz → kengert
Component: Security → Security: PSM
Product: Thunderbird → Core
QA Contact: thunderbird → psm

    
    

    
  
I'm not sure this is a PSM bug per se. The unhelpful dialog ("foo doesn't match foo") is a duplicate of another bug -- there really is a cert error, we're just not explaining it well. In the Thunderbird context though I think this bug is saying a cert error on the ldap server should just silently fail and not get in the way of composing a mail message.

Or are you saying that we're incorrectly identifying ldap cert as invalid? To check that out we're going to need to connect to the machine in question, or have you collect more complete log info or something.

    
    

    
  
Dan is correct.

I think this bug is 1.8 branch only (FF 2), if you get a test build for FF 3, you should see you'll get a better message.

I don't find the exact duplicate of this bug right now...
Maybe you'll find the bug if you look for "subject alt name".
The bug is, the cert contains a SubjectAltName extension, which does not match your server, but we don't use that extension for the error message, we incorrectly use the "command name" from the cert for the error message.

But all the work to improve the error has been around bug 327181.


    
    

    
  
I have a similar problem:

To reproduce:
Server name:  ldap.foo.com
Certificate:
   Subject: CN = ldap.foo.com
   Extensions.Certificate Subject Alt Name:
           Not Critical
           DNS Name: ldap0.foo.com
           DNS Name: ldap1.foo.com
           DNS Name: ldap2.foo.com

Gets a Domain name mismatch:
  ... attempted to connect to "ldap.foo.com". However the security certificate belongs to "(ldap0.foo.com, ldap1.foo.com, ldap2.foo.com)". ...

The original <main> subject in the certificate has been forgotten about.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: