Closed Bug 512251 Opened 15 years ago Closed 15 years ago

SSL wildcard no longer possible

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 511921

People

(Reporter: phyre, Unassigned)

Details

(Keywords: regression) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Build Identifier: 2.0.0.23 (20090812)

With the 2.0.0.23 version upgrade, a certificate with a wildcard that is explicitly accepted is no longer possible.

CN = *

<-- the above CN is used on a large number of mail servers that accept mail for countless domains on the same IP address.  This allows mail.yourdomain.com to work for hosting providers.  Public signers generally do not issue these (favouring instead *.yourdomain.com), however for the few users that use self-signed certificates, a wildcard certificate provides encryption and security and the authentication is provided by accepting and installing the certificate the first time.

The error message now is that 'mail.yourdomain.com' does not match '*' for the CommonName.

The asterisk should be treated as a wildcard.  The bug fixed recently stops "*\0.yourdomain.com" however it is very different to have a NULL character in a commonname as to disable the use of wildcards entirely.


Reproducible: Always

Steps to Reproduce:
Make a IMAP or SMTP server with a certificate with a common name of '*'.  Try to connect via IMAP/SMTP.  Not tested with POP3 but assumed to be present as well.
Actual Results:  
An error message appears advising that the certificate is not valid for the site and allowing you to view the certiticate, OK it, or cancel.  If OK'd, it does not remember the choice and prompts every time Thunderbird is started.

Expected Results:  
It should allow the certificate -OR- should prompt once to provide added security and recall the choice.

A bug fix that looks to have broken a very common practice.
Please see the discussion on bug 511921. Although that currently specifies dreamhost it should apply to all SSL certificates of the wildcard style I believe.

If you think this isn't a duplicate, please reopen with an explanation of why.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
Keywords: regression
You need to log in before you can comment on or make changes to this bug.