Last Comment Bug 491406 - *.wiki.sourceforge.net not valid site for *.sourceforge.net SSL certificate
: *.wiki.sourceforge.net not valid site for *.sourceforge.net SSL certificate
Status: RESOLVED WONTFIX
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: nobody
:
:
Mentors:
https://www.wiki.sourceforge.net/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-04 16:30 PDT by Peter Ansell
Modified: 2009-07-04 12:40 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Peter Ansell 2009-05-04 16:30:12 PDT
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4

*.wiki.sourceforge.net sites can't utilise the *.sourceforge.net issued SSL certificate according to the default SSL certificate checking mechanism

Reproducible: Always

Steps to Reproduce:
1. Go to https://bio2rdf.wiki.sourceforge.net/ or https://www.wiki.sourceforge.net/
Actual Results:  
See error saying that certificate issued for *.sourceforge.net is not valid for bio2rdf.wiki.sourceforge.net when it might be expected to be valid and trusted from a users point of view.

Expected Results:  
Allow access to secure site using the given certificate.
Comment 1 Johnathan Nightingale [:johnath] 2009-05-05 06:34:06 PDT
I believe this behaviour is as-designed, since our interpretation of wildcards is specified to only go one level "deep." In any event though, moving this to NSS, where the decision is made.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2009-05-05 11:18:14 PDT
Historically, Mozilla has been the only browser that allowed a wildcard 
character to match multiple levels of subdomain.  This behavior did not 
conform to the relevant RFC, and became viewed as a security risk, so 
Firefox 3.5 has changed to conform to RFC 2818.  See bug 159483.
Comment 3 Jacques Marneweck 2009-07-04 07:21:07 PDT
Insane that one needs to tell people to do the following:

You will need to click on the "Add Exception..." link, ignore the warning about "You are about to override how Firefox identifies this site. Legitimate banks, stores, and other public sites will not ask you to do this.". Click on "Get Certificate" and then click on "Confirm Security Exception".
Comment 4 Nelson Bolyard (seldom reads bugmail) 2009-07-04 12:40:24 PDT
Almost as insane as people putting certificates on their web servers that
do not match the DNS names used by those servers, and then expecting all
to work without any errors.

Note You need to log in before you can comment on or make changes to this bug.