[Bug 429274] [NEW] SSL certificate validation broken

[Thorsten Glaser]

Public bug reported:

Kubuntu Hardy, firefox 3.0.14 (today’s update)

You need to have CAcert.org’s Root CA Certificate imported for this.

https://msoent.blog.tarent.de/

Konqueror → works
Firefox → ssl_error_bad_cert_domain

The certificate itself has:
CN: *.blog.tarent.de
X.509v3 subjectAltName: DNS:blog.tarent.de

Apparently, nss only “sees” the subjectAltName? This works with Konqueror (as stated),
Lynx. Interestingly, Opera 10 seems to have similar issues.

Certificate dump:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 486942 (0x76e1e)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support at cacert.org   
        Validity
            Not Before: Sep 14 10:10:58 2009 GMT
            Not After : Sep 14 10:10:58 2011 GMT
        Subject: C=DE, ST=Nordrhein-Westfalen, L=Bonn, O=Tarent GmbH, CN=*.blog.tarent.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2560 bit)
                Modulus (2560 bit):
                    00:ac:6e:1b:36:6d:52:2d:87:e9:34:5d:dc:85:b1:
                    e0:a1:b2:f0:b3:21:2a:a5:40:7a:b6:3d:fa:be:fb:
                    80:ea:14:94:f5:04:39:7e:e8:d7:4b:5a:24:1f:62:
                    d8:b6:6a:14:95:7b:53:18:50:00:fd:25:68:ca:35:
                    b8:db:7b:26:48:47:d0:d7:11:5c:f6:59:66:1d:f6:
                    2c:80:5c:13:53:37:57:1c:58:d5:9b:b1:28:dc:b1:
                    98:77:bc:0d:ba:0d:80:3b:e1:89:80:63:c8:dd:fc:
                    4e:6d:bb:dc:f3:c7:de:df:33:88:c4:64:df:9f:99:
                    38:b7:a7:43:d5:3b:e9:bc:3d:8f:27:0a:99:1c:d6:
                    44:d5:b7:5b:67:59:47:9d:70:75:0f:8f:9e:e4:4a:
                    93:cb:f4:56:ad:81:e6:9a:f9:8c:ea:ae:bb:75:7b:
                    78:db:a1:98:5b:4e:12:25:b4:af:10:38:ca:fe:2a:
                    7d:b4:60:95:76:47:62:0b:db:9a:c4:94:4e:00:20:
                    16:88:ed:c3:6f:72:06:79:95:81:9d:b3:da:5f:6a:
                    7b:a8:99:52:ca:04:a2:bc:0e:04:05:85:8f:fc:73:
                    ba:25:4f:a0:bb:11:e9:b1:97:21:4d:55:f1:83:30:
                    22:c6:47:fa:e0:8a:72:8d:de:b7:b2:d2:14:25:73:
                    d4:55:3e:e4:5f:48:62:70:72:10:bf:d1:e7:a8:67:
                    0a:2b:d6:65:21:7c:f6:66:dd:47:60:34:46:3d:0b:
                    26:1d:56:41:26:6c:35:c5:9b:cb:fe:46:7a:b5:2a:
                    ee:e2:67:9b:38:08:4a:71:aa:ef:35:2b:c4:b3:61:
                    ec:9e:7f:be:58:69
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            Authority Information Access:
                OCSP - URI:http://ocsp.cacert.org/

            X509v3 Subject Alternative Name:
                DNS:blog.tarent.de
    Signature Algorithm: sha1WithRSAEncryption
        0b:60:73:ef:d0:75:16:bc:06:7b:0f:07:c9:56:a1:d6:b0:c9:
        da:3d:15:b5:85:92:88:4a:3b:d7:aa:e0:02:8d:91:76:83:b6:
        ee:c3:54:75:b3:f1:fa:ea:4f:e0:96:2b:64:d8:f2:fd:88:6d:
        19:5b:3b:10:a7:c5:4a:3c:30:47:fb:6b:0c:04:54:8e:1f:cb:
        a5:58:eb:a9:3c:ae:64:ec:24:37:e2:47:41:d2:6c:c8:9f:8d:
        c0:a9:32:6e:5e:cf:6c:6e:fb:07:da:aa:22:72:4c:c7:c0:5d:
        ea:a9:0a:9d:a6:63:f5:88:da:9c:ab:d1:d5:90:ed:19:ed:d9:
        1e:36:70:6c:14:24:14:28:ee:19:2d:1a:83:17:69:9f:9e:4b:
        4c:a0:b6:96:6e:43:7a:a6:da:38:47:65:74:45:ce:5d:db:36:
        bc:9d:8c:a0:57:68:52:f9:28:af:be:19:50:a8:20:a3:5f:b5:
        cc:61:93:ad:b2:cc:b3:60:ea:c0:68:86:d9:95:1a:d6:77:c9:
        18:c9:26:ef:48:1a:30:4c:50:98:8c:16:cb:9a:06:f4:80:41:
        1f:86:3a:c1:4f:ac:be:de:cd:2b:98:89:42:d2:04:8f:67:57:
        c4:4b:cc:e3:ca:6e:c1:ad:a8:3c:67:dc:d7:04:cc:5a:bc:41:
        54:ee:db:32:ed:62:8a:d6:b1:59:dd:32:ce:6a:25:e2:5f:8f:
        da:d9:5d:eb:76:f3:dc:9e:cf:af:2e:b8:e6:67:6e:ec:28:f3:
        7a:9f:f5:02:a3:d2:ff:25:53:71:02:a0:12:3d:8c:78:0c:6f:
        8c:e5:41:ea:67:73:52:29:55:ce:47:f3:16:dd:72:e0:b9:78:
        c3:e0:63:d8:60:c6:17:eb:8f:6e:be:f3:6b:0f:bd:ac:1f:2c:
        6e:93:ad:6e:79:92:cb:c0:c4:e0:60:b3:6a:6e:5f:c0:b6:04:
        d8:4f:06:6e:5c:ec:fa:4b:bd:92:ba:40:52:3b:a4:a1:d2:d2:
        b1:02:63:c6:2f:1d:b3:25:5c:93:fe:31:8f:5c:9c:3b:47:ba:
        64:45:fb:30:d8:10:57:6a:d1:79:6b:d0:78:3a:d9:1f:f8:df:
        2a:cd:31:4c:62:ee:f9:1f:ca:6e:91:76:77:69:26:d6:f1:3d:
        ea:9f:85:12:19:e3:4a:99:cb:93:99:5e:33:b0:66:7f:5e:6f:
        e4:aa:a7:e2:6e:2f:83:69:a2:ad:34:f5:8b:9e:c7:96:b1:26:
        b8:9d:4d:32:77:3b:ac:4d:6e:9d:fb:25:dd:15:12:98:28:b4:
        ff:f3:82:13:98:05:1c:e5:55:d5:37:48:c0:ef:ad:74:03:af:
        95:96:fa:15:9b:47:ee:13

** Affects: firefox-3.0 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
SSL certificate validation broken
https://bugs.launchpad.net/bugs/429274
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs