Closed Bug 540547 Opened 14 years ago Closed 14 years ago

SSL/TLS - SNI sometimes stops working, results in a "Untrusted connection" warning

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 450280

People

(Reporter: niobos, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7

When surfing on a HTTPS site that uses SNI (Server Name Identification, a means to allow vhosts on SSL/TLS), I sometimes get a "untrusted connection" warning. This happens randomly during the browsing session on the same HTTPS-site without an obvious trigger. Refreshing the page or re-entering the URL doesn't solve the problem; restarting FF does.

To narrow down the problem, I made a PCAP dump of the behavior. When the site is "untrusted", I notice that FF sends an SSLv2 Client Hello. Since SSLv2 doesn't support SNI, the connection obviously becomes "untrusted" since the server returns the default, wrong, certificate. After restarting FF, the same site gets an TLSv1 Client Hello, with SNI extension.

I'm not sure if this is a bug in FF or in an underlying library.
Probably the underlying bug is already reported, but because I couldn't find anything SNI-related, I decided to report it anyway.

Reproducible: Sometimes

Steps to Reproduce:
1. Surf to a HTTPS site that requires SNI
2. Keep browsing that same site
3. (optional) Be patient
Actual Results:  
4. Observe that suddenly the connection is "Untrusted"
5a. Accept the security exception and browse on
5b. Restart firefox and browse on
5c. Try to get SNI back to work. I haven't been able to do this, I tried: reloading the page and re-entering the URL 

Expected Results:  
Nothing special. The connection should just remain TLS-secured with SNI enabled, without any warnings.

If useful, I can post the (anonymized) PCAP files. Since I guess that the underlying bug is already reported, I'm not doing so at this moment.
bug 450280 ?
(In reply to comment #1)
> bug 450280 ?

I don't know why that didn't show up in my searches; possibly because I was looking at FF, not at Core-bugs.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Depends on: 450280
Resolution: --- → DUPLICATE
No longer depends on: 450280
You need to log in before you can comment on or make changes to this bug.