Bruce Keats wrote:
Yes, Certificates are normally valid for specific websites only. The sites they are valid for are listed specifically in the certificate itself (most certs are good for exactly one site, but it's legal to make certs good for a specific list of sites).Hi,I started using firefox 3 and I am now getting errors connecting to intra-net sites that were OK in firefox 2. We have our own intra-net and we have a CA that issues server certs and user certs. I have loaded the CA certs and the CA certs are visable under "Authorities" tab (Preferences->Advanced->Encryption->View Certificates) and the "This certificate can identify web sites" is checked. In firefox 2, this was sufficient to stop the warnings, but with firefox 3, I now get ssl_error_bad_cert_domain error. I can go through the motions and add an exception, but this is a pain to do for each of the servers. If I manually add the exception will this permanently bypass all the other cert checking (valid dates, revocation, etc.)? If I "Get Certificate" when I manually "Add Security Exception", it seems that firefox complains about "Certificate Status" and "Wrong Site". Under "Certificate Status", it says "This site attempts to identify itself with invalid information", but I can't understand why because firefox has the CA certs so it should be able to validate the cert. Under "Wrong Site" it says "Certificate belongs to a different site which could indicate an identity theft" and I might be able to accept that because the URL is different than that found doing a reverse DNS lookup. How can I get firefox to stop complaining about the certificates for intra-net sites? Is there something I need to place in the server certs?
In Firefox 2.0, it was using a general override. When you accepted a certificate, that certificate was considered good for SSL period. It appears you were using this for your intranet websites, giving the same certificate for all your servers (or for servers that had multiple aliases). The problem with this is it could create a security issue. Users did not understand how that it was granting global SSL privellege for the whole cert (if they understood the certificate at all). This means a phisher could get his cert trusted by convincing users to visit his website. For many intranet users, the continual request to 'enable this cert' trained them to click through those dialogs. The phisher could then pretend to be some commercial website without notice given to the users.
Your best bet if you are managing a bunch of internet sites is to create a root cert for your intra-net and have your users download and trust that... then issue real SSL certs with the proper network name(s) in either the subject alt field (preferred) or the CN of the subject name (acceptable if there is only one). There's a new open source project based on an old product that can help you manage that here: http://pki.fedoraproject.org/wiki/PKI_Main_Page. This will remove all the exception cases (which is preferable, you really don't want to acclimatize your users to ignoring certificate warnings...).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
