Re: Potential Bug: IE 7 and SSL certificate handling.



Alun,

Great answer and although not what I had hoped would be the case, I thank
you for it. Based upon your cite, clearly, IE 7 follows the standard
properly and the others do not. My conclusion was wrong.

Arguably, however, the RFC 2818 standard should be modified, at least to the
degree that it acknowledges the predating defacto standard for web site
access over http, which has historically been the use of a www subdomain
(albeit that is in http, but then https is just a secure layer upon which
http rides, so it is not all that outrageous to consider).

My feeling is that wildcard subdomains for HTTPS should at least be extended
such that a.sld.tld should reasonably also cover www.a.sld.tld. I suppose
the other browser companies felt that way too and thus "bent" the standard a
bit to accommodate that historic convention. Perhaps these other companies
would consider it a "standards extension" to their products.

While strictly speaking, ignoring standards is a no - no (or as you say,
"not cool"), in this case, I think that it is understandable. I do not think
that such an action would compromise security, because the basic underlying
settings that make wildcarding possible are addressed within DNS and at the
secure host header level on the server.

Again, thank you for your clear answer. I already adjusted the site to
accommodate what I considered an IE 7 "bug", so the issue will not be
problematic here (though a bit inconvenient). Now I suppose that I am happy
to find that my "fix" follows the intended standard after all. So, I guess
if the other browsers need to "downgrade" their "standards extension", it
will not cause any issues around here.

My sincere apologies to the community for raising what appears to be a false
alarm.

-Commerce

"Alun Jones" wrote:

Not a bug - this is the way that the HTTPS protocol is supposed to work, and
those other browsers are being unsecure by allowing wildcards to work in
that way. Here's the quote from RFC 2818 (HTTP over TLS):

"Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com."

So, there you have it - "*.a.com matches foo.a.com, but not bar.foo.a.com" -
you're asking Microsoft to break the standards for the trifling reason that
everyone else does it wrong. Not cool. Report the bugs in those other
browsers, and see if they fix them.

Alun.
~~~~

"Commerce" <Commerce@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:F1042725-B190-415A-9097-2BF2357D2A52@xxxxxxxxxxxxxxxx
NOTE: A version of this was also posted yesterday in IE 7 forum.
Unfortunately I received no useful responses, so thought this might be an
alternative place, as it regards SSL (thus security) in IE 7. Sorry for
the
crosspost, but I think it is a problem that should be resolved (or at
least
answered).

Description of Potential Bug:
MS IE 7.0 Fails to act properly in dealing with SSL wildcard certificates
in
certain situations. A wildcard SSL certificate should be valid for both
subdomain.domain.tld as well as www.subdomain.domain.tld - such processing
for wildcard certificates probably should be valid for any valid DNS
creatable sub domain (e.g., www.foo.bar.domain.tld ) of a valid domain
name
(e.g., domain.tld) for which the wildcard certificate was created.

Obviously, care should be used in handling what constitutes a valid domain
(e.g., *.tld should probably never be valid for a wildcard certificate
issued
for a top level domain or issues in certain country code naming
scenarios),
but those issues extend beyond the scope of this report.

Problem Scenario:
After successfully installing a wildcard SSL cert for a domain (e.g.,
*.domain.tld ) for both an IIS 5.0 (Windows 2000) platform and an IIS 6.0
(Windows 2003) platform, IE 7.0 fails to treat the wildcards SSL
certificate
as being valid for both www.subdomain.domain.tld and subdomain.domain.tld
names. Instead it only accepts the subdomain.domain.tld variant as
acceptable. In this particular scenario, the domain happens to be a two
letter .com name.

Suggestion of Potential Bug:
This problem does not occur in other browsers (e.g., FireFox, Opera),
where
those browsers accept both the subdomain.domain.tld and
www.subdomain.domain.tld variant as acceptable for the SSL certificate.
As
such, in both of the abovementioned browsers, the replication actions
suggested below work as expected.

Replication Actions:
For a domain using a wildcard secure ssl certificate (e.g., *.domain.tld )
successfully installed on a late model IIS server -

When accessing foo.domain.tld as https://foo.domain.tld in IE 7.0 - normal
access as expected to a page with SSL enabled.

When accessing www.foo.domain.tld as https://www.foo.domain.tld in IE
7.0 -
an error occurs indicating that the certificate is invalid for the domain.
Expected results would be a working https page result with secure SSL
engaged, based upon both the results from other browsers and definition
expectations for a wildcard SSL certificate.




.



Relevant Pages

  • Re: Potential Bug: IE 7 and SSL certificate handling.
    ... following the standards in the midst of a number of people who would rather ... My feeling is that wildcard subdomains for HTTPS should at least be ... the certificate (e.g., more than one dNSName name, a match in any one ... as it regards SSL in IE 7. ...
    (microsoft.public.security)
  • Re: Potential Bug: IE 7 and SSL certificate handling.
    ... but having a wildcard that allows both ... you would want to set up host header for SSL on the server to get ... following the standards in the midst of a number of people who would rather ... the certificate (e.g., more than one dNSName name, a match in any one ...
    (microsoft.public.security)
  • Re: Potential Bug: IE 7 and SSL certificate handling.
    ... browsers, and see if they fix them. ... MS IE 7.0 Fails to act properly in dealing with SSL wildcard certificates ... A wildcard SSL certificate should be valid for both ...
    (microsoft.public.security)
  • Re: SSL - Man-in-the-Middle filtering
    ... > trust the CA. SSL solutions like Bluecoat are used pretty widely to ... >>> is there any standard mechanism (in SSL standard or in HTTP ... >>> to send actual CA certificate to the browser by forward proxies? ... >> with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Wildcard SSL certificate on SBS - problem with Exchange connection
    ... Use msstd:*.company.com for the principal name as it is a wildcard ssl cert. ... My requirement is to enable SSL and host headers using a wildcard certificate. ... I have recently done it on a standard IIS server (not SBS). ...
    (microsoft.public.windows.server.sbs)