Firefox doesn't use certificate name mismatch as cue to lookup DNS record




5 years ago
a year ago


(Reporter: gene, Unassigned)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [lame-network], [dns] [necko-backlog])



5 years ago
Steps to reproduce :
1. Browse to an https site hosted in Amazon Web Services using their Elastic Load Balancers, e.g.
2. Leave your browser open long enough that AWS swaps out the ELB IPs being used either due to a scaling event or in the normal course of churn in their ELB farms
3. Again, browse to the same page or refresh the page.
4. Firefox will attempt a connection again to the same IP address it used before and has cached internally. Though the original ELBs that mapped to the service you intended to access were retired, enough time has passed that the IPs have been re-used and are now pointing at different ELBs serving some other customer's website.
5. Firefox will display a certificate security error because it thinks it's talking to the original site (in our example but it's actually talking to new ELBs with a new site and that site's certificate (e.g.

Currently, in other scenarios, when Firefox attempts to connect to a site that you've already browsed to, and it uses it's cached IP address to do so, and it has a connection problem, it attempts to re-lookup the DNS name in case the DNS name now points to a different IP.

It would be great if another cue to inspire Firefox to re-lookup the DNS name, in the same style as the one when there is a connection failure, would be a certificate security issue involving a name mismatch.

This would address situations where cloud service providers move customers around in their IP space and Firefox doesn't notice and tries to use internally cached DNS address lookups.


5 years ago
See Also: → bug 151929
Component: General → Networking: DNS
Product: Firefox → Core
Whiteboard: [lame-network]
This happens a lot for Travis CI servers too.
Whiteboard: [lame-network] → [lame-network], [dns]
Whiteboard: [lame-network], [dns] → [lame-network], [dns] [necko-backlog]
You need to log in before you can comment on or make changes to this bug.