Closed
Bug 646613
Opened 15 years ago
Closed 11 years ago
Firefox fails to recognize multi-level wildcard certificates (such as *.*.org.lu)
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: mozilla, Unassigned)
References
()
Details
Attachments
(1 file)
|
190.35 KB,
image/png
|
Details |
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15
I've got a wildcard certificate including *.*.org.lu
After installing it on ctest.hitchhiker.org.lu, the browser raises an ssl_error_bad_cert_domain even though it should match (the first * matches ctest, and the second * matches hitchhiker)
Reproducible: Always
Steps to Reproduce:
1. Install CACert.org root certificate
2. Go to https://ctest.hitchhiker.org.lu
Actual Results:
Browser raises an ssl_error_bad_cert_domain
Expected Results:
Certificate should be accepted (the first * matches ctest, and the second * matches hitchhiker)
Comment 1•15 years ago
|
||
Startcom issued such a wildcard certificate for org.lu ?
The domains are owned by different organizations as far as I can see.
http://org.lu
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → 2.0 Branch
Comment 2•15 years ago
|
||
The certificate is valid for "www.hitchhiker.org.lu, hitchhiker.org.lu"
and not *.*.org.lu.
Gecko shows that in the certificate details, http://www.sslshopper.com/ssl-checker.html#hostname=https://ctest.hitchhiker.org.lu/ confirms that and Opera shows the same warning.
marking invalid
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
| Reporter | ||
Comment 3•15 years ago
|
||
What the hell are you talking about? This is a certificate issued by CACert, not StartSSL.
And who issued it should be completely irrelevant to the issue anyways, this here is about an issue in Firefox, not about which certification authorities will or will not issue multi-level wildcard certificates.
You're right, Opera seems to have the same issue, but other browsers such as lynx don't.
Status: RESOLVED → VERIFIED
| Reporter | ||
Updated•15 years ago
|
Status: VERIFIED → UNCONFIRMED
Resolution: INVALID → ---
Comment 4•15 years ago
|
||
That address used yesterday a startcom free certificate !
It's now a different cacert certificate that claims to be valid for "me.hitchhiker.org.lu , *.org.lu , *.*.org.lu "
And the reject reason is "Error code: sec_error_unknown_issuer" because Cacert is not trusted by Mozilla. Adding a exception makes this work but I don't know if that overrides both errors or only one (issuer unknown and domain mismatch)
Here's a screenshot of running SSLCheck on that certificate. Based on this, I think Firefox's behaviour is expected.
Comment 6•11 years ago
|
||
http://tools.ietf.org/html/rfc6125#section-6.4.3:
1. The client SHOULD NOT attempt to match a presented identifier in
which the wildcard character comprises a label other than the
left-most label (e.g., do not match bar.*.example.net).
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago → 11 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•