[Mozilla Enterprise] subjectAltName warning for imported roots
Dana Keeler
dkeeler at mozilla.com
Fri Feb 5 19:29:11 UTC 2021
Currently, Firefox will always fall back to the subject common name for
certificates issued from imported roots if necessary - the about:config
preference doesn't affect this.
Since Chrome removed support for this fallback entirely, though, we can
do so as well. I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1691122 to do this work.
Thank you,
Dana
On 2/5/21 02:54, Roest, Lennert via Enterprise wrote:
> In our enterprise, SSL certificates with a valid subjectAltName field are required for all webservers, and we want to be able to show (test/prod) users a warning when this is not the case.
>
> However, with current Firefox ESR78 this does not seem possible, it seems to always ignore a missing subjectAltName (and fallback to CN) for websites signed with an internal/imported root.
> The default setting security.pki.name_matching_mode = 3 (only use name information from the subject alternative name extension) does not work for imported roots.
> It seems this was introduced a few years ago, in order not to break too many internal websites at that time: https://bugzilla.mozilla.org/show_bug.cgi?id=1245280
>
> Would it be possible on ESR78 to show this warning also for sites signed with imported roots?
> (either with a group policy option, or by default like Edge/Chrome)
>
> For reference, Edge/Chrome do show a warning for all https sites without subjectAltName (NET:ERR_CERT_COMMON_NAME_INVALID)
> Chrome removed the CN fallback by default since v58: https://developers.google.com/web/updates/2017/03/chrome-58-deprecations#remove_support_for_commonname_matching_in_certificates
> It had an optional Enterprise policy to enable CN fallback for local roots, which was deprecated per v65: https://cloud.google.com/docs/chrome-enterprise/policies/?policy=EnableCommonNameFallbackForLocalAnchors
>
>
> Regards,
>
> Lennert Roest
> ........................................................................
> Desktop Hosting 2 Acceptatie
> Shared Service Center ICT
>
>
> ________________________________
>
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de
> geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
> verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
> aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
> houdt met risico's verbonden aan het elektronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not
> the addressee or if this message was sent to you by mistake, you are requested
> to inform the sender and delete the message. The State accepts no liability for
> damage of any kind resulting from the risks inherent in the electronic transmission
> of messages.
>
> Ministerie van Justitie en Veiligheid.
>
>
> _______________________________________________
> Enterprise mailing list
> Enterprise at mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
>
> To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to enterprise-request at mozilla.org with a subject of "unsubscribe"
>
More information about the Enterprise
mailing list