Closed Bug 646613 Opened 15 years ago Closed 11 years ago

Firefox fails to recognize multi-level wildcard certificates (such as *.*.org.lu)

Categories

(Core :: Security: PSM, defect)

2.0 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: mozilla, Unassigned)

References

()

Details

Attachments

(1 file)

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.04 (lucid) Firefox/3.6.15 I've got a wildcard certificate including *.*.org.lu After installing it on ctest.hitchhiker.org.lu, the browser raises an ssl_error_bad_cert_domain even though it should match (the first * matches ctest, and the second * matches hitchhiker) Reproducible: Always Steps to Reproduce: 1. Install CACert.org root certificate 2. Go to https://ctest.hitchhiker.org.lu Actual Results: Browser raises an ssl_error_bad_cert_domain Expected Results: Certificate should be accepted (the first * matches ctest, and the second * matches hitchhiker)
Startcom issued such a wildcard certificate for org.lu ? The domains are owned by different organizations as far as I can see. http://org.lu
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → 2.0 Branch
The certificate is valid for "www.hitchhiker.org.lu, hitchhiker.org.lu" and not *.*.org.lu. Gecko shows that in the certificate details, http://www.sslshopper.com/ssl-checker.html#hostname=https://ctest.hitchhiker.org.lu/ confirms that and Opera shows the same warning. marking invalid
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
What the hell are you talking about? This is a certificate issued by CACert, not StartSSL. And who issued it should be completely irrelevant to the issue anyways, this here is about an issue in Firefox, not about which certification authorities will or will not issue multi-level wildcard certificates. You're right, Opera seems to have the same issue, but other browsers such as lynx don't.
Status: RESOLVED → VERIFIED
Status: VERIFIED → UNCONFIRMED
Resolution: INVALID → ---
That address used yesterday a startcom free certificate ! It's now a different cacert certificate that claims to be valid for "me.hitchhiker.org.lu , *.org.lu , *.*.org.lu " And the reject reason is "Error code: sec_error_unknown_issuer" because Cacert is not trusted by Mozilla. Adding a exception makes this work but I don't know if that overrides both errors or only one (issuer unknown and domain mismatch)
Attached image Screenshot: SSL Check
Here's a screenshot of running SSLCheck on that certificate. Based on this, I think Firefox's behaviour is expected.
http://tools.ietf.org/html/rfc6125#section-6.4.3: 1. The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago11 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: