-
Bug
-
Resolution: Done
-
Minor
-
rhel-8.6.0
-
None
-
None
-
2
-
rhel-sst-security-crypto
-
ssg_security
-
24
-
26
-
3
-
False
-
-
No
-
Crypto24Q2, Crypto24Q3
-
-
Pass
-
None
-
Unspecified Release Note Type - Unknown
-
x86_64
-
None
What were you trying to do that didn't work?
Access to a internal website from Firefox ESR.
That work with Google Chrome, Chromium, curl and openssl.
Please provide the package NVR for which bug is seen:
$ rpm -qa | grep -i firefox
firefox-91.8.0-1.el8_5.x86_64
How reproducible:
Go on a website have a certificate with multiple DNS Name entries. The before last contains comma delimiters inside. The last is the good one.
Ex (Subject Alt Names), DNS Name's :
- sub1.internal.lan
- sub1.eu.internal.lan
- sub1
- sub0.internal.lan
- sub0.eu.internal.lan
- app.internal.lan,sub0.internal.lan,sub0.eu.internal.lan,sub0,sub1.internal.lan,sub1.eu.internal.lan,sub1
- app.internal.lan
Steps to reproduce
- Create a website certificate with the exact order of DNS Name entries given above
- Go on https://app.internal.app
- Get Error code: SSL_ERROR_BAD_CERT_DOMAIN
Expected results
Can navigate on the website without "Warning: Potential Security Risk Ahead" or errors.
Actual results
Warning: Potential Security Risk Ahead
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for app.internal.lan. The certificate is only valid for the following names: sub1.internal.lan, sub1.eu.company.lan, sub1, sub0.internal.lan, sub0.eu.company.lan, sub0, hril.internal.lan,sub0.internal.lan,sub0.eu.company.lan,sub0,sub1.internal.lan,sub1.eu.company.lan,sub1, app.internal.lan
Error code: SSL_ERROR_BAD_CERT_DOMAIN
