mozilla.org sites should use an SSL certificate with a subjectAltName

RESOLVED FIXED

Status

mozilla.org Graveyard
Server Operations: Projects
RESOLVED FIXED
8 years ago
3 years ago

People

(Reporter: Matt McCutchen, Assigned: mrz)

Tracking

(Blocks: 1 bug)

Details

(Reporter)

Description

8 years ago
The wildcard SSL certificate currently being used by www.mozilla.org, bugzilla.mozilla.org, and other sites does not have a subjectAltName but instead puts the domain name in the common name, a legacy practice according to RFC 2818:

http://tools.ietf.org/html/rfc2818#section-3.1

Bug 552346 would change NSS not to honor domain names in the common name.  So the certificate should be replaced with one with a proper subjectAltName when practical.

There's some previous discussion starting with bug 515963 comment #2.
Sorta-dupe of bug 398923.
(Assignee)

Comment 2

8 years ago
Are you asking for a wildcard cert that instantiates all the domains under it as SANs?  Is that done in the wild?  Doesn't that defeat the whole wildcard purpose (right now I'd have to go back to GeoTrust and re-issue the cert for any SAN entry)?
Assignee: server-ops → mrz
(In reply to comment #2)
> Are you asking for a wildcard cert that instantiates all the domains under it
> as SANs?  Is that done in the wild?  Doesn't that defeat the whole wildcard
> purpose (right now I'd have to go back to GeoTrust and re-issue the cert for
> any SAN entry)?

No, he's asking for a certificate with subjectAltName of "DNS:*.mozilla.org" (basically, the subjectAltName X.509 v3 extension should always be present with a dNSName that includes the CN).

However, you really want one that has a subjectAltName of "DNS:*.mozilla.org,DNS:mozilla.org" so that both *.mozilla.org and mozilla.org work under one certificate (which would take care of bug 398923).
(Assignee)

Comment 4

8 years ago
We did this for getpersonas.com with a "True BusinessID" cert from geotrust.  I feel like that was a DV cert - I recall it being a lot less expensive that Premium version.
(Assignee)

Comment 5

8 years ago
This is currently a wontfix because the existing cert works and the SAN cert through geotrust is DV and no one's commented since the 20th.

Is there real value in finding a new cert authority to do this?
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 6

8 years ago
(In reply to comment #5)
> This is currently a wontfix because the existing cert works and the SAN cert
> through geotrust is DV and no one's commented since the 20th.

What comment were you seeking?

> Is there real value in finding a new cert authority to do this?

Yes!  Putting the SSL server name in the subject common name is deprecated, and Nelson Bolyard wants to eventually remove support for it from NSS (bug 552346).  That will take a lot of evangelization, and the obvious place to start is with mozilla.org itself.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
(Assignee)

Comment 7

8 years ago
So no objections with a DV cert?  Reed's always quick to chastise when I go DV vs. OV.
(Reporter)

Comment 8

8 years ago
None from me.  IMO, DV is the technical essence of SSL and OV/EV is a distraction that doesn't always add as much security as people think.
(In reply to comment #7)
> So no objections with a DV cert?  Reed's always quick to chastise when I go DV
> vs. OV.

If getpersonas.com is DV and *.mozilla.org is OV, there's very little difference (if any) that I can see, so I'm fine with it.
(Assignee)

Updated

8 years ago
Component: Server Operations → Server Operations: Projects
The current *.mozilla.org from Equifax expires on the 02/12/2011, I want to make sure this subject isn't forgotten when renewing.

The current getpersonas.com certificate :
- is from the exact same Equifax root CA as the *.mozilla.org cert
- Equifax and Geotrust are the same entity. New certificates will be issued under a Geotrust named root CA, since the Equifax one is deprecated (it was a 1024 bit root)
- it has the correct SAN as needed
- Contains this in the subject "O = Mozilla Corporation, L = Mountain View, ST = California", so I hope it's OV, or else we have some talking to do to Geotrust about not including inside DV certificates values that are *not* validated.

So "just the same as what getpersonas.com uses" is a perfect, no question choice for the next *.mozilla.org cert, and I really hope this will not be forgotten before renewing  for two more years next December.

Also :
- "True BusinessID" is cheap but is OV, they include your company name in their seal
- It also allows to reissue your certificate with added SAN at any time. This could be an alternative to a * certificate.
(Assignee)

Comment 11

7 years ago
Closing.  We've moving away from wildcard certificates.  These will all be addressed as the *.mozilla.org cert rolls off.  Being tracked elsewhere with renewal bugs.
Status: REOPENED → RESOLVED
Last Resolved: 8 years ago7 years ago
Resolution: --- → FIXED
Product: mozilla.org → mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.