Closed Bug 669124 Opened 13 years ago Closed 8 years ago

Domain Mismatch Exception for more than 1 pairing

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
All
Other
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 528922

People

(Reporter: samuel.wang, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build ID: 20110429093851

Steps to reproduce:

Configured TB to send and retrieve emails via Outlook Web Access (OWA). Emails are sent through port 25, with STARTTLS as Connection Security and using normal passwords for authentication.
OWA runs on a load balancer (i.e. >= 2 exchange servers)


Actual results:

Security Error keeps popping up even though I click on "Confirm Security Exception".
Further investigations seems to show that the Domain Mismatch is only applicable to 1 pairing (e.g webmail.me.apac.com - hub1.me.apac.com). 
If the certificate is served from another Exchange server (e.g. hub2.me.apac.com), the security Error window will popup again.
Upon clicking on "Confirm Security Exception", the pairing will switch over to the new Exchange server, resulting in another Security Exception error when the certificate is served by the other Exchange server



Expected results:

Allowance for more than one domain mismatch pairing, so that more than 1 Exchange servers could use supply certificates for OWA access without security errors.
Is your certificate having wildcards or are these ssl certs machine specific ?
(In reply to comment #1)
> Is your certificate having wildcards or are these ssl certs machine specific
> ?

The certificates are machine specific
Then I think we are doing the right thing and not letting users compromise their security. But I'm not the expert.
(In reply to Ludovic Hirlimann [:Usul] from comment #3)
> Then I think we are doing the right thing and not letting users compromise
> their security. But I'm not the expert.

magnus do yo uagree?
Flags: needinfo?(mkmelin+mozilla)
I think in general it's not a completely invalid configuration, just a bad one, that is common due to clustering. It would be safer if we allowed more than one exception per host... at least then you'd notice in case something really bad happens. Now you just click through it by habit.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mkmelin+mozilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.