Closed Bug 495339 Opened 15 years ago Closed 15 years ago

wildcards in SSL certificates no longer match multiple levels of subdomain

Categories

(Firefox :: General, defect)

3.0 Branch
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: gioquahc, Unassigned)

References

()

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042809 GranParadiso/3.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.10) Gecko/2009042809 GranParadiso/3.0.10

The site is clearly using a wildcard certificate that covers the URL in question.

Reproducible: Always

Steps to Reproduce:
1. Load secure URL into browser
Actual Results:  
Receive warning that secure connection has failed

Expected Results:  
Site should load with the same content as http://swiftspirit.co.za.plesk01.glodns.net/
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
This is NOT a duplicate of bug 159483. It is the antithesis of bug 159483.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
This bug is invalid.   
It complains that a cert with the wildcard pattern  *.glodns.net
does not match the DNS name swiftspirit.co.za.plesk01.glodns.net 
but that failure to match is REQUIRED by the relevant Internet standards.
It was the old behavior, where it _DID_ match, that was a bug.  

A "*" can now only match a single component of a DNS name.  
It cannot match a dot.  *.glodns.net is allowed to match the DNS name
                  plesk01.glodns.net  but not the names
               za.plesk01.glodns.net or
            co.za.plesk01.glodns.net or
swiftspirit.co.za.plesk01.glodns.net
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → INVALID
Hi Nelson,

Do you have a link to the Internet standards which state this should not match?
RFC 2818 specifies the new action for TLS.

I can find no standard as to how this is supposed to work under SSL2 or SSL3 before TLS, however it appears Mozilla was always in the minority with its old behaviour.
RFC 2818, on page 4 :

   Matching is performed using the matching rules specified by
   [RFC2459].  If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.) Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., *.a.com matches foo.a.com but
   not bar.foo.a.com. f*.com matches foo.com but not bar.com.
I just ran a quick test and I could find no non-Mozilla browser that does not work the way Mozilla does now on the trunk.

I tested IE, Opera Safari and Chrome.  They all work the same way as the new Mozilla behavior.
OS: Linux → All
Hardware: x86 → All
Summary: wildcard SSL certificate not recognised to match → wildcards in SSL certificates no longer match multiple levels of subdomain
Version: unspecified → 3.0 Branch
You need to log in before you can comment on or make changes to this bug.