With respect to the x509v3 Subject Alt Name, what EXACTLY is Firefox 38+ (v38.2.1- v38.4) doing in its certificate format checks?
Given that all other attributes in my server certificates are the same, this works (I can access my webpage): Subj: cn=my.friendlydomainname.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9
but, this doesn't: (yields "security library: improperly formatted DIR-encoded message (Error code: sec_error_bad_der)") Subj: cn=my.domain.com,ou=suborg,ou=suborg,ou=suborg,o=org,c=country SubjectAltName: DNS:my.ugly.fullyqualifieddomainname.com.,DNS:my.friendlydomainname.com.,DNS:my.ugly.fullyqualifieddomain.name.com,DNS:my.friendlydomainname.com,DNS:6.7.8.9,IPAddress:6.7.8.9
I can successfully look up all Subject Alt Names in DNS.
Is there a way to see more error detail than the simple sec_error_bad_der message?
The request comes from FF38 in either Windows 7 or CentOS 6. The web server is hosted on CentOS 6.
Alle Antworten (1)
Also noticed: If FF fails the first object in the SAN list, it doesn't seem to iterate over the rest (MUST per RFC 2459). I also had a connection fail because the first name in the SAN list was not in DNS. Once it was added to DNS, I could connect.