Closed
Bug 442558
Opened 17 years ago
Closed 9 years ago
unexpected host name mismatch when using socks5 proxy
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: BryanRJ, Unassigned, NeedInfo)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008062801 (Gentoo) Minefield/3.0
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9) Gecko/2008062801 (Gentoo) Minefield/3.0
The sites https://mail.q3q.us and https://mail.braujac.org both point to the same server. It uses a certificate containing CN=mail.q3q.us and subjectAltName=DNS:mail.q3q.us,DNS:mail.braujac.org,DNS:mail.whitestates.org . Visiting mail.q3q.us works fine. mail.braujac.org displays a warning stating "The certificate is only valid for the following names:
mail.q3q.us , mail.braujac.org , mail.q3q.us , mail.whitestates.org". Note that mail.q3q.us is in there twice, despite the fact that CN is supposed to be completely ignored in the presence of subjectAltName. Opera 9.5 will display the page fine through whatever URL.
Reproducible: Always
Steps to Reproduce:
1. Visit https://mail.q3q.us
2. Observe that it displays fine if you accept CACert as trusted
3. Visit https://mail.braujac.org
4. See the warning; compare the names displayed with the URL bar
Actual Results:
Only the URL from the CN works.
Expected Results:
ONLY the subjectAltName should work - the CN ***SHOULD NOT*** unless also in the subjectAltName!
For some reason, my wget 1.11.1 also refuses to fetch the page. I think that's an independent bug.
|
Reporter | |
Comment 1•17 years ago
|
||
OK, I think I've tracked this down a bit better:
- the problem only occurs when using a TCP proxy. I was running an SSH socks5 proxy via proxychains. Connecting directly, this does not happen.
But proxychains causes all TCP traffic to be tunneled - and there's still no problem visiting sites whose CNs match. DNS resolution isn't the problem - the DNS entries for the hostname are consistent regardless of which end does the resolution. Why is this happening?
|
||
Comment 2•17 years ago
|
||
I was about to mark this WORKSFORME, when your comment 1 arrived.
NSS only has one function for checking host names in certs, and it's the
same whether using proxies or not. It does handle SANs (as you seem to know).
However, I think it's likely that the name that NSS is asked to find in the
cert does change when you use a proxy.
Tell us how you have this proxy configured in your browser.
Please provide all the details so that we might try to reproduce it exactly.
Assignee: nobody → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: libraries → psm
Summary: subjectAltName non-functional → unexpected host name mismatch when using socks5 proxy
|
|
Reporter | |
Comment 3•17 years ago
|
||
(In reply to comment #2)
> I was about to mark this WORKSFORME, when your comment 1 arrived.
> NSS only has one function for checking host names in certs, and it's the
> same whether using proxies or not. It does handle SANs (as you seem to know).
>
> However, I think it's likely that the name that NSS is asked to find in the
> cert does change when you use a proxy.
>
> Tell us how you have this proxy configured in your browser.
> Please provide all the details so that we might try to reproduce it exactly.
>
OK. Let "laptop" be the computer running firefox. Let "server" be the proxy server.
server$ dig www.braujac.org
;; ANSWER SECTION:
www.braujac.org. 86321 IN A 128.151.220.33
server$ dig www.q3q.us
;; ANSWER SECTION:
www.q3q.us. 86400 IN A 128.151.220.33
laptop$ dig www.braujac.org
;; ANSWER SECTION:
www.q3q.us. 17765 IN A 128.151.220.33
laptop$ dig www.q3q.us
;; ANSWER SECTION:
www.q3q.us. 17765 IN A 128.151.220.33
So, DNS is not the issue: at both ends, both names resolve to the same IP.
laptop$ firefox # Firefox works here
laptop$ ssh -N -D 9999 server & # Establish SSH socks5 proxy on local port 9999
laptop$ cat /etc/proxychains.conf
strict_chain
proxy_dns
socks5 127.0.0.1 9999
laptop$ proxychains firefox # Firefox does not work here, as described
proxychains version 3.1, openssh 5.0_p1
This does NOT occur when using the same proxy through FoxyProxy. However, in-browser methods like FoxyProxy are not sufficent as embedded content doesn't go through the proxy - Flash videos, etc go from "laptop" instead of "server".
Maybe this is a proxychains bug? I have, however, verified that Opera works through proxychains. And at any rate, displaying the same name twice in the "only valid for" list is a Firefox bug. Something subtle is going on here.
|
|
Reporter | |
Comment 4•17 years ago
|
||
More notes:
- Does not occur when not using "proxy_dns" in proxychains.conf
- Same results when using localhost as the proxy server (ssh -D 9999 localhost)
- proxychains.conf should be:
strict_chain
proxy_dns
[ProxyList]
socks5 127.0.0.1 9999
- If quit_mode is off in proxychains.conf, the DNS query for www.braujac.org is shown on the command line and has the correct result.
|
||
Comment 5•15 years ago
|
||
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
|
||
Updated•9 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•