Closed
Bug 540547
Opened 14 years ago
Closed 14 years ago
SSL/TLS - SNI sometimes stops working, results in a "Untrusted connection" warning
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 450280
People
(Reporter: niobos, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 When surfing on a HTTPS site that uses SNI (Server Name Identification, a means to allow vhosts on SSL/TLS), I sometimes get a "untrusted connection" warning. This happens randomly during the browsing session on the same HTTPS-site without an obvious trigger. Refreshing the page or re-entering the URL doesn't solve the problem; restarting FF does. To narrow down the problem, I made a PCAP dump of the behavior. When the site is "untrusted", I notice that FF sends an SSLv2 Client Hello. Since SSLv2 doesn't support SNI, the connection obviously becomes "untrusted" since the server returns the default, wrong, certificate. After restarting FF, the same site gets an TLSv1 Client Hello, with SNI extension. I'm not sure if this is a bug in FF or in an underlying library. Probably the underlying bug is already reported, but because I couldn't find anything SNI-related, I decided to report it anyway. Reproducible: Sometimes Steps to Reproduce: 1. Surf to a HTTPS site that requires SNI 2. Keep browsing that same site 3. (optional) Be patient Actual Results: 4. Observe that suddenly the connection is "Untrusted" 5a. Accept the security exception and browse on 5b. Restart firefox and browse on 5c. Try to get SNI back to work. I haven't been able to do this, I tried: reloading the page and re-entering the URL Expected Results: Nothing special. The connection should just remain TLS-secured with SNI enabled, without any warnings. If useful, I can post the (anonymized) PCAP files. Since I guess that the underlying bug is already reported, I'm not doing so at this moment.
Comment 1•14 years ago
|
||
bug 450280 ?
Reporter | ||
Comment 2•14 years ago
|
||
(In reply to comment #1) > bug 450280 ? I don't know why that didn't show up in my searches; possibly because I was looking at FF, not at Core-bugs.
You need to log in
before you can comment on or make changes to this bug.
Description
•