Last Comment Bug 491406 - * not valid site for * SSL certificate
: * not valid site for * SSL certificate
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: x86 Mac OS X
-- normal (vote)
: ---
Assigned To: nobody
Depends on:
  Show dependency treegraph
Reported: 2009-05-04 16:30 PDT by Peter Ansell
Modified: 2009-07-04 12:40 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---


Description User image Peter Ansell 2009-05-04 16:30:12 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4

* sites can't utilise the * issued SSL certificate according to the default SSL certificate checking mechanism

Reproducible: Always

Steps to Reproduce:
1. Go to or
Actual Results:  
See error saying that certificate issued for * is not valid for when it might be expected to be valid and trusted from a users point of view.

Expected Results:  
Allow access to secure site using the given certificate.
Comment 1 User image Johnathan Nightingale [:johnath] 2009-05-05 06:34:06 PDT
I believe this behaviour is as-designed, since our interpretation of wildcards is specified to only go one level "deep." In any event though, moving this to NSS, where the decision is made.
Comment 2 User image Nelson Bolyard (seldom reads bugmail) 2009-05-05 11:18:14 PDT
Historically, Mozilla has been the only browser that allowed a wildcard 
character to match multiple levels of subdomain.  This behavior did not 
conform to the relevant RFC, and became viewed as a security risk, so 
Firefox 3.5 has changed to conform to RFC 2818.  See bug 159483.
Comment 3 User image Jacques Marneweck 2009-07-04 07:21:07 PDT
Insane that one needs to tell people to do the following:

You will need to click on the "Add Exception..." link, ignore the warning about "You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.". Click on "Get Certificate" and then click on "Confirm Security Exception".
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2009-07-04 12:40:24 PDT
Almost as insane as people putting certificates on their web servers that
do not match the DNS names used by those servers, and then expecting all
to work without any errors.

Note You need to log in before you can comment on or make changes to this bug.