[Mozilla Enterprise] subjectAltName warning for imported roots
Roest, Lennert
l.j.roest at dji.minjus.nl
Fri Feb 5 10:54:30 UTC 2021
In our enterprise, SSL certificates with a valid subjectAltName field are required for all webservers, and we want to be able to show (test/prod) users a warning when this is not the case.
However, with current Firefox ESR78 this does not seem possible, it seems to always ignore a missing subjectAltName (and fallback to CN) for websites signed with an internal/imported root.
The default setting security.pki.name_matching_mode = 3 (only use name information from the subject alternative name extension) does not work for imported roots.
It seems this was introduced a few years ago, in order not to break too many internal websites at that time: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
Would it be possible on ESR78 to show this warning also for sites signed with imported roots?
(either with a group policy option, or by default like Edge/Chrome)
For reference, Edge/Chrome do show a warning for all https sites without subjectAltName (NET:ERR_CERT_COMMON_NAME_INVALID)
Chrome removed the CN fallback by default since v58: https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates
It had an optional Enterprise policy to enable CN fallback for local roots, which was deprecated per v65: https://cloud.google.com/docs/chrome-enterprise/policies/?policy=EnableCommonNameFallbackForLocalAnchors
Regards,
Lennert Roest
........................................................................
Desktop Hosting 2 Acceptatie
Shared Service Center ICT
________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de
geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not
the addressee or if this message was sent to you by mistake, you are requested
to inform the sender and delete the message. The State accepts no liability for
damage of any kind resulting from the risks inherent in the electronic transmission
of messages.
Ministerie van Justitie en Veiligheid.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/enterprise/attachments/20210205/a354d9ea/attachment.html>
More information about the Enterprise
mailing list