Bruce Keats wrote, On 2008-07-02 12:35: > I started using firefox 3 and I am now getting errors connecting to > intra-net sites that were OK in firefox 2.
I don't recall any changes in that area between FF2 and FF3. We discussed making some changes, but didn't actually make them because we believed it would introduce too many incompatibilities. (see bug 159483) > We have our own intra-net and we have a CA that issues server certs and > user certs. I have loaded the CA certs and the CA certs are visable > under "Authorities" tab (Preferences->Advanced->Encryption->View > Certificates) and the "This certificate can identify web sites" is > checked. In firefox 2, this was sufficient to stop the warnings, but > with firefox 3, I now get ssl_error_bad_cert_domain error. That error means one thing: the name(s) in the cert do not match the name (or IP address) of the server given in the URL. Nothing you can do to any Issuer cert will overcome the fact that the server cert doesn't have the desired server name in it in the right place. > I can go through the motions and add an exception, but this is a pain to > do for each of the servers. Yup. A much better solution is to ensure that the cert has the host name used in the URL, and vice versa. > If I manually add the exception will this permanently bypass all the > other cert checking (valid dates, revocation, etc.)? I believe so, yes. > How can I get firefox to stop complaining about the certificates for > intra-net sites? Is there something I need to place in the server > certs? Ensure that the cert has the hostname used in the URL, and vice versa. Pay attention to FQDNs. If the cert's host name is an FQDN, then the host name in the URL must be an FQDN. Reverse DNS lookups are irrelevant. They play no role whatsoever in matching the hostname given in the URL to the name in the cert. Don't forget that if you have host names in the Subject Alternative Name extension, then ALL the names in the cert belong there, not all-but-one. But This is no different than it was in FF2. > Bruce /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
