Closed
Bug 495339
Opened 15 years ago
Closed 15 years ago
wildcards in SSL certificates no longer match multiple levels of subdomain
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: gioquahc, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042809 GranParadiso/3.0.10 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042809 GranParadiso/3.0.10 The site is clearly using a wildcard certificate that covers the URL in question. Reproducible: Always Steps to Reproduce: 1. Load secure URL into browser Actual Results: Receive warning that secure connection has failed Expected Results: Site should load with the same content as http://swiftspirit.co.za.plesk01.glodns.net/
Updated•15 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Comment 2•15 years ago
|
||
This is NOT a duplicate of bug 159483. It is the antithesis of bug 159483.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Comment 3•15 years ago
|
||
This bug is invalid. It complains that a cert with the wildcard pattern *.glodns.net does not match the DNS name swiftspirit.co.za.plesk01.glodns.net but that failure to match is REQUIRED by the relevant Internet standards. It was the old behavior, where it _DID_ match, that was a bug. A "*" can now only match a single component of a DNS name. It cannot match a dot. *.glodns.net is allowed to match the DNS name plesk01.glodns.net but not the names za.plesk01.glodns.net or co.za.plesk01.glodns.net or swiftspirit.co.za.plesk01.glodns.net
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → INVALID
Comment 5•15 years ago
|
||
Hi Nelson, Do you have a link to the Internet standards which state this should not match?
Comment 6•15 years ago
|
||
RFC 2818 specifies the new action for TLS. I can find no standard as to how this is supposed to work under SSL2 or SSL3 before TLS, however it appears Mozilla was always in the minority with its old behaviour.
Comment 7•15 years ago
|
||
RFC 2818, on page 4 : Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
Comment 8•15 years ago
|
||
I just ran a quick test and I could find no non-Mozilla browser that does not work the way Mozilla does now on the trunk. I tested IE, Opera Safari and Chrome. They all work the same way as the new Mozilla behavior.
Updated•15 years ago
|
OS: Linux → All
Hardware: x86 → All
Summary: wildcard SSL certificate not recognised to match → wildcards in SSL certificates no longer match multiple levels of subdomain
Version: unspecified → 3.0 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•